Survey of Machine Learning Techniques for Malware Analysis

Coping with malware is getting more and more challenging, given their relentless growth in complexity and volume. One of the most common approaches in literature is using machine learning techniques, to automatically learn models and patterns behind such complexity, and to develop technologies for keeping pace with the speed of development of novel malware. This survey aims at providing an overview on the way machine learning has been used so far in the context of malware analysis. We systematize surveyed papers according to their objectives (i.e., the expected output, what the analysis aims to), what information about malware they specifically use (i.e., the features), and what machine learning techniques they employ (i.e., what algorithm is used to process the input and produce the output). We also outline a number of problems concerning the datasets used in considered works, and finally introduce the novel concept of malware analysis economics, regarding the study of existing tradeoffs among key metrics, such as analysis accuracy and economical costs

A Blockchain-Based Solution for Enabling Log-Based Resolution of Disputes in Multi-party Transactions

We are witnessing an ongoing global trend towards the automation of almost any transaction through the employment of some Internet-based mean. Furthermore, the large spread of cloud computing and the massive emergence of the software as a service (Saas) paradigm have unveiled many opportunities to combine distinct services, provided by different parties, to establish higher level and more advanced services, that can be offered to end users and enterprises. Business-to-business (B2B) integration and third-party authorization (i.e. using standards like OAuth) are examples of processes requiring more parties to interact with each other to deliver some desired functionality. These kinds of interactions mostly consist of transactions and are usually regulated by some agreement which defines the obligations that involved parties have to comply with. In case one of the parties claims a violation of some clause of such agreement, disputes can occur if the party accused of the infraction refuses to recognize its fault. Moreover, in case of auditing, for convenience reasons a party may deny to have taken part in a given transaction, or may forge historical records related to that transaction. Solutions based on a trusted third party (TTP) have drawbacks: high overhead due to the involvement of an additional party, possible fees to pay for each transaction, and the risks stemming from having to blindly trust another party. If it were possible to only base on transaction logs to sort disputes out, then it would be feasible to get rid of any TTP and related shortcomings. In this paper we propose SLAVE, a blockchain-based solution which does not require any TTP. Storing transactions in a public blockchain like Bitcoin’s or Ethereum’s provides strong guarantees on transactions’ integrity, hence they can be actually used as proofs when controversies arise. The solution we propose defines how to embed transaction logs in a public blockchain, so that each involved party can verify the identity of the others while keeping confident the content of transactions

Timely processing of big data in collaborative large-scale distributed systems

Today’s Big Data phenomenon, characterized by huge volumes of data produced at very high rates by heterogeneous and geographically dispersed sources, is fostering the employment of large-scale distributed systems in order to leverage parallelism, fault tolerance and locality awareness with the aim of delivering suitable performances. Among the several areas where Big Data is gaining increasing significance, the protection of Critical Infrastructure is one of the most strategic since it impacts on the stability and safety of entire countries. Intrusion detection mechanisms can benefit a lot from novel Big Data technologies because these allow to exploit much more information in order to sharpen the accuracy of threats discovery. A key aspect for increasing even more the amount of data at disposal for detection purposes is the collaboration (meant as information sharing) among distinct actors that share the common goal of maximizing the chances to recognize malicious activities earlier. Indeed, if an agreement can be found to share their data, they all have the possibility to definitely improve their cyber defenses. The abstraction of Semantic Room (SR) allows interested parties to form trusted and contractually regulated federations, the Semantic Rooms, for the sake of secure information sharing and processing. Another crucial point for the effectiveness of cyber protection mechanisms is the timeliness of the detection, because the sooner a threat is identified, the faster proper countermeasures can be put in place so as to confine any damage. Within this context, the contributions reported in this thesis are threefold * As a case study to show how collaboration can enhance the efficacy of security tools, we developed a novel algorithm for the detection of stealthy port scans, named R-SYN (Ranked SYN port scan detection). We implemented it in three distinct technologies, all of them integrated within an SR-compliant architecture that allows for collaboration through information sharing: (i) in a centralized Complex Event Processing (CEP) engine (Esper), (ii) in a framework for distributed event processing (Storm) and (iii) in Agilis, a novel platform for batch-oriented processing which leverages the Hadoop framework and a RAM-based storage for fast data access. Regardless of the employed technology, all the evaluations have shown that increasing the number of participants (that is, increasing the amount of input data at disposal), allows to improve the detection accuracy. The experiments made clear that a distributed approach allows for lower detection latency and for keeping up with higher input throughput, compared with a centralized one. * Distributing the computation over a set of physical nodes introduces the issue of improving the way available resources are assigned to the elaboration tasks to execute, with the aim of minimizing the time the computation takes to complete. We investigated this aspect in Storm by developing two distinct scheduling algorithms, both aimed at decreasing the average elaboration time of the single input event by decreasing the inter-node traffic. Experimental evaluations showed that these two algorithms can improve the performance up to 30%. * Computations in online processing platforms (like Esper and Storm) are run continuously, and the need of refining running computations or adding new computations, together with the need to cope with the variability of the input, requires the possibility to adapt the resource allocation at runtime, which entails a set of additional problems. Among them, the most relevant concern how to cope with incoming data and processing state while the topology is being reconfigured, and the issue of temporary reduced performance. At this aim, we also explored the alternative approach of running the computation periodically on batches of input data: although it involves a performance penalty on the elaboration latency, it allows to eliminate the great complexity of dynamic reconfigurations. We chose Hadoop as batch-oriented processing framework and we developed some strategies specific for dealing with computations based on time windows, which are very likely to be used for pattern recognition purposes, like in the case of intrusion detection. Our evaluations provided a comparison of these strategies and made evident the kind of performance that this approach can provide

Android Malware Family Classification Based on Resource Consumption over Time

The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behavior. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.Comment: Extended Versio

A Wearable Wireless Magnetic Eye-Tracker, in-vitro and in-vivo tests

A wireless, wearable magnetic eye tracker is described and characterized. The proposed instrumentation enables simultaneous evaluation of eye and head angular displacements. Such a system can be used to determine the absolute gaze direction as well as to analyze spontaneous eye re-orientation in response to stimuli consisting in head rotations. The latter feature has implications to analyze the vestibulo-ocular reflex and constitutes an interesting opportunity to develop medical (oto-neurological) diagnostics. Details of data analysis are reported together with some results obtained in-vivo or with simple mechanical simulators that enable measurements under controlled conditions

QUBIC: Exploring the Primordial Universe with the Q&U Bolometric Interferometer

In this paper, we describe QUBIC, an experiment that will observe the polarized microwave sky with a novel approach, which combines the sensitivity of state-of-the-art bolometric detectors with the systematic effects control typical of interferometers. QUBIC’s unique features are the so-called “self-calibration”, a technique that allows us to clean the measured data from instrumental effects, and its spectral imaging power, i.e., the ability to separate the signal into various sub-bands within each frequency band. QUBIC will observe the sky in two main frequency bands: 150 GHz and 220 GHz. A technological demonstrator is currently under testing and will be deployed in Argentina during 2019, while the final instrument is expected to be installed during 2020.Fil: Mennella, Aniello. University of Milan; ItaliaFil: Barbaràn, Gustavo. Comisión Nacional de Energía Atómica; ArgentinaFil: Bonaparte, Juan. Comisión Nacional de Energía Atómica; ArgentinaFil: Di Donato, Andrés Leonardo. Comisión Nacional de Energía Atómica; ArgentinaFil: Etchegoyen, Alberto. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Parque Centenario. Instituto de Tecnología en Detección y Astropartículas. Comisión Nacional de Energía Atómica. Instituto de Tecnología en Detección y Astropartículas. Universidad Nacional de San Martín. Instituto de Tecnología en Detección y Astropartículas; ArgentinaFil: Fasciszewski, Adrián. Comisión Nacional de Energía Atómica; ArgentinaFil: Gamboa Lerena, Martin Miguel. Universidad Nacional de La Plata. Facultad de Ciencias Astronómicas y Geofísicas; ArgentinaFil: Garcia, Beatriz Elena. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Parque Centenario. Instituto de Tecnología en Detección y Astropartículas. Comisión Nacional de Energía Atómica. Instituto de Tecnología en Detección y Astropartículas. Universidad Nacional de San Martín. Instituto de Tecnología en Detección y Astropartículas; ArgentinaFil: Gómez Berisso, Mariano. Centro Atómico Bariloche. Instituto Balseiro; ArgentinaFil: González. Manuel. Centro Atómico Bariloche. Instituto Balseiro; ArgentinaFil: Luterstein, Raùl Horacio. Comisión Nacional de Energía Atómica; ArgentinaFil: Harari, Diego Dario. Centro Atómico Bariloche. Instituto Balseiro; ArgentinaFil: Kristukat, Christian. Universidad Nacional de San Martín; ArgentinaFil: Medina, Maria Clementina. Provincia de Buenos Aires. Gobernación. Comisión de Investigaciones Científicas. Instituto Argentino de Radioastronomía. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - La Plata. Instituto Argentino de Radioastronomía; ArgentinaFil: Mundo, Luis Mariano. Universidad Nacional de La Plata. Facultad de Ciencias Astronómicas y Geofísicas; ArgentinaFil: Pastoriza, Hernan. Centro Atómico Bariloche. Instituto Balseiro; ArgentinaFil: Ringegni, Pablo. Universidad Nacional de La Plata. Facultad de Ciencias Astronómicas y Geofísicas; ArgentinaFil: Romero, Gustavo Esteban. Provincia de Buenos Aires. Gobernación. Comisión de Investigaciones Científicas. Instituto Argentino de Radioastronomía. Consejo Nacional de Investigaciones Científicas y Técnicas. Centro Científico Tecnológico Conicet - La Plata. Instituto Argentino de Radioastronomía; ArgentinaFil: Scóccola, Claudia G.. Universidad Nacional de La Plata. Facultad de Ciencias Astronómicas y Geofísicas; ArgentinaFil: Suarez, Federico. Consejo Nacional de Investigaciones Científicas y Técnicas. Oficina de Coordinación Administrativa Parque Centenario. Instituto de Tecnología en Detección y Astropartículas. Comisión Nacional de Energía Atómica. Instituto de Tecnología en Detección y Astropartículas. Universidad Nacional de San Martín. Instituto de Tecnología en Detección y Astropartículas; ArgentinaFil: The Qubic Collaboration. No especifíca;7th International Conference on New frontiers in PhysicsCretaGreciaCenter of the Orthodox Academy of Cret

Disease-Modifying Therapies and Coronavirus Disease 2019 Severity in Multiple Sclerosis

Objective: This study was undertaken to assess the impact of immunosuppressive and immunomodulatory therapies on the severity of coronavirus disease 2019 (COVID-19) in people with multiple sclerosis (PwMS). Methods: We retrospectively collected data of PwMS with suspected or confirmed COVID-19. All the patients had complete follow-up to death or recovery. Severe COVID-19 was defined by a 3-level variable: mild disease not requiring hospitalization versus pneumonia or hospitalization versus intensive care unit (ICU) admission or death. We evaluated baseline characteristics and MS therapies associated with severe COVID-19 by multivariate and propensity score (PS)-weighted ordinal logistic models. Sensitivity analyses were run to confirm the results. Results: Of 844 PwMS with suspected (n = 565) or confirmed (n = 279) COVID-19, 13 (1.54%) died; 11 of them were in a progressive MS phase, and 8 were without any therapy. Thirty-eight (4.5%) were admitted to an ICU; 99 (11.7%) had radiologically documented pneumonia; 96 (11.4%) were hospitalized. After adjusting for region, age, sex, progressive MS course, Expanded Disability Status Scale, disease duration, body mass index, comorbidities, and recent methylprednisolone use, therapy with an anti-CD20 agent (ocrelizumab or rituximab) was significantly associated (odds ratio [OR] = 2.37, 95% confidence interval [CI] = 1.18-4.74, p = 0.015) with increased risk of severe COVID-19. Recent use (<1 month) of methylprednisolone was also associated with a worse outcome (OR = 5.24, 95% CI = 2.20-12.53, p = 0.001). Results were confirmed by the PS-weighted analysis and by all the sensitivity analyses. Interpretation: This study showed an acceptable level of safety of therapies with a broad array of mechanisms of action. However, some specific elements of risk emerged. These will need to be considered while the COVID-19 pandemic persists