Program Similarity Analysis for Malware Classification and its Pitfalls

Malware classification, specifically the task of grouping malware samples into families according to their behaviour, is vital in order to understand the threat they pose and how to protect against them. Recognizing whether one program shares behaviors with another is a task that requires semantic reasoning, meaning that it needs to consider what a program actually does. This is a famously uncomputable problem, due to Rice\u2019s theorem. As there is no one-size-fits-all solution, determining program similarity in the context of malware classification requires different tools and methods depending on what is available to the malware defender. When the malware source code is readily available (or at least, easy to retrieve), most approaches employ semantic \u201cabstractions\u201d, which are computable approximations of the semantics of the program. We consider this the first scenario for this thesis: malware classification using semantic abstractions extracted from the source code in an open system. Structural features, such as the control flow graphs of programs, can be used to classify malware reasonably well. To demonstrate this, we build a tool for malware analysis, R.E.H.A. which targets the Android system and leverages its openness to extract a structural feature from the source code of malware samples. This tool is first successfully evaluated against a state of the art malware dataset and then on a newly collected dataset. We show that R.E.H.A. is able to classify the new samples into their respective families, often outperforming commercial antivirus software. However, abstractions have limitations by virtue of being approximations. We show that by increasing the granularity of the abstractions used to produce more fine-grained features, we can improve the accuracy of the results as in our second tool, StranDroid, which generates fewer false positives on the same datasets. The source code of malware samples is not often available or easily retrievable. For this reason, we introduce a second scenario in which the classification must be carried out with only the compiled binaries of malware samples on hand. Program similarity in this context cannot be done using semantic abstractions as before, since it is difficult to create meaningful abstractions from zeros and ones. Instead, by treating the compiled programs as raw data, we transform them into images and build upon common image classification algorithms using machine learning. This led us to develop novel deep learning models, a convolutional neural network and a long short-term memory, to classify the samples into their respective families. To overcome the usual obstacle of deep learning of lacking sufficiently large and balanced datasets, we utilize obfuscations as a data augmentation tool to generate semantically equivalent variants of existing samples and expand the dataset as needed. Finally, to lower the computational cost of the training process, we use transfer learning and show that a model trained on one dataset can be used to successfully classify samples in different malware datasets. The third scenario explored in this thesis assumes that even the binary itself cannot be accessed for analysis, but it can be executed, and the execution traces can then be used to extract semantic properties. However, dynamic analysis lacks the formal tools and frameworks that exist in static analysis to allow proving the effectiveness of obfuscations. For this reason, the focus shifts to building a novel formal framework that is able to assess the potency of obfuscations against dynamic analysis. We validate the new framework by using it to encode known analyses and obfuscations, and show how these obfuscations actually hinder the dynamic analysis process

Revealing Similarities in Android Malware by Dissecting their Methods

One of the most challenging problems in the fight against Android malware is finding a way to classify them according to their behavior, in order to be able to utilize previously gathered knowledge in analysis and prevention. In this paper we introduce a novel technique that discovers similarities between Android malware samples by comparing fragments of executed traces (strands) generated from their most suspect methods. This way we can accurately pinpoint which (possibly) malicious behaviors are shared between these different samples, allowing for easier analysis and classification. We implement this approach in a tool, StrAndroid, that we evaluate on a few dataset of malware and ransomware samples, comparing its results to an existing similarity too

Data augmentation and transfer learning to classify malware images in a deep learning context

In the past few years, malware classification techniques have shifted from shallow traditional machine learning models to deeper neural network architectures. The main benefit of some of these is the ability to work with raw data, guaranteed by their automatic feature extraction capabilities. This results in less technical expertise needed while building the models, thus less initial pre-processing resources. Nevertheless, such advantage comes with its drawbacks, since deep learning models require huge quantities of data in order to generate a model that generalizes well. The amount of data required to train a deep network without overfitting is often unobtainable for malware analysts. We take inspiration from image-based data augmentation techniques and apply a sequence of semantics-preserving syntactic code transformations (obfuscations) to a small dataset of programs to generate a larger dataset. We then design two learning models, a convolutional neural network and a bi-directional long short-term memory, and we train them on images extracted from compiled binaries of the newly generated dataset. Through transfer learning we then take the features learned from the obfuscated binaries and train the models against two state of the art malware datasets, each containing around 10 000 samples. Our models easily achieve up to 98.5% accuracy on the test set, which is on par or better than the present state of the art approaches, thus validating the approach

Mecanismos de financiamiento en planes de desarrollo sectorial : El caso del fideicomiso citrícola de la Provincia de Corrientes

Fil: Marastoni, Ariel. Universidad de Buenos Aires. Facultad de Ciencias Económicas. Buenos Aires, Argentina

Advanced Minor Destructive Testing for the Assessment of Existing Masonry

This thesis focuses on minor-destructive testing (MDT) techniques for the mechanical characterisation of historical mortars, as it is a fundamental task for the assessment of existing masonries. In the first part, a novel in-situ MDT technique is investigated, based on the field vane shear test for soils. The instrumentation consists in a four-winged pin (X-Drill) and a torque wrench. This research presents the results of an experimental campaign based on the comparison between standard tests and X-Drill measurements on different types of mortars. The interpretation of the test provides a possible correlation between the measured torque and the compressive strength of the material. In the second part, the thesis focuses on the extraction of samples to be tested in the laboratory. Brazilian tests can be carried out on cores including a diametral mortar joint with a defined inclination with respect to its original horizontal position. A new integrated methodology is developed for the comprehensive mechanical characterization of historical mortar based on different types of experimental tests results. This task is carried out by means of a large set of experiments performed ex-novo on lime mortar masonry walls built in the laboratory. The processing of the results from Brazilian tests on cores with inclined diametral joint is complemented with the application of the double punch tests on mortar joints that may be also extracted through core drilling. The proposed experimental methodology is then compared with the results obtained from standard tests performed on the same materials, such as compression tests, flexural tests and shear tests on triplets. Finally, the parameters obtained are used as input parameters for 2D and 3D numerical analyses based on the Continuum Damage Mechanics constitutive model. The comparison between the experimental results and the numerical analyses confirms the good prediction capacity of the proposed techniques

Impact of child obesity on adipose tissue physiology: assessment of adipocytokines and inflammatory cytokines as biomarkers of obesity

Obesity could be interpreted as a low grade inflammatory state. The role of cytokines for innate and acquired immune response and adipocytokines in pathogenesis of obesity is not completely understood. The aim of the study was to evaluate anthropometric parameters, adipocytokines and inflammatory cytokine levels as biomarkers of childhood obesity. This investigation was designed as a longitudinal observational study. Forty-seven obese children (19 males and 28 females) were enrolled by Pediatric Clinic of the Foundation IRCCS Policlinico San Matteo, Pavia, Italy. For each patients a blood sample, used for other biochemical evaluations, was collected. Cytokines and adipocytokines plasmatic levels were determined using an ELISA method. Plasma leptin levels are in correlation with age (r=0.5; P<0.001) and BMI-z score (r=0.36; P<0.001), particularly in girls; plasma resistin levels are in inverse correlation with age, particularly in boys (r=-0.67; P<0.001) and in correlation with BMI-z score (r=0.52; P=0.002). Plasma leptin and resistin levels show a good correlation with antrophometric parameters of child obesity (sex and BMI z score). This study suggests that leptin and resistin can be considered as biomarker of childhood obesity and its comorbility. We observed a statistically significant correlation between plasma leptin and resistin levels and antrophometric parameters of child obesity (sex and BMI z score). This study suggests that adipocytokines, such as leptin and resistin, can be considered as biomarkers of childhood obesity

Changes in physiological activities and root exudation profile of two grapevine rootstocks reveal common and specific strategies for Fe acquisition

In several cultivation areas, grapevine can suffer from Fe chlorosis due to the calcareous and alkaline nature of soils. This plant species has been described to cope with Fe deficiency by activating Strategy I mechanisms, hence increasing root H+ extrusion and ferric-chelate reductase activity. The degree of tolerance exhibited by the rootstocks has been reported to depend on both reactions, but to date, little emphasis has been given to the role played by root exudate extrusion. We studied the behaviour of two hydroponically-grown, tolerant grapevine rootstocks (Ramsey and 140R) in response to Fe deficiency. Under these experimental conditions, the two varieties displayed differences in their ability to modulate morpho-physiological parameters, root acidification and ferric chelate reductase activity. The metabolic profiling of root exudates revealed common strategies for Fe acquisition, including ones targeted at reducing microbial competition for this micronutrient by limiting the exudation of amino acids and sugars and increasing instead that of Fe(III)-reducing compounds. Other modifications in exudate composition hint that the two rootstocks cope with Fe shortage via specific adjustments of their exudation patterns. Furthermore, the presence of 3-hydroxymugenic acid in these compounds suggests that the responses of grapevine to Fe availability are rather diverse and much more complex than those usually described for Strategy I plants