Research in current and future cybersecurity threats at the NECSTLab is heavily centered on experimentally analyzing real systems, with a focus on a data-driven approach. In this context, in our lab we are pursuing four lines of research: large scale and automated malware analysis, detection of financial frauds through machine learning, mobile security and mobile malware analysis, as well as cyber-physical security, where we focus on automotive network and on the security of the so-called Industry 4.0 paradigm. In this talk, we will give a bird’s eye view on the system security research at the NECSTLab, presenting the rationale of our research as well as introducing representative projects in our four lines of research and the main results we achieved.
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
System Security @ NECSTLab
1. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
System Security @ NECSTLab
Marcello Pogliani
marcello.pogliani@polimi.it
Microsoft, Mountain View
May 31st
, 2018
2. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
The System Security Group @ NECSTLab
1 Associate Professor (Stefano Zanero)
~ 3 Postdoctoral Researchers
~ 3 PhD Students
15+ Master’s Students
3. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
What (else) we do, besides research
Hacking Activities (aka CTF)
● Tower of Hanoi ~> http://toh.necst.it/
● mHACKeroni ~> http://mhackeroni.it
○ 2nd @ DEF CON Quals 2018!
4. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
System Security
Emphasis on real systems
Focus on data and machine learning
Tools (or concepts) to aid the analyst or the user
5. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Research Lines
Malware and Threat Analysis
Frauds Analysis and Detection
Mobile Security
Security of Cyber-physical systems
7. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Prometheus
extract robusts signatures from
WebInject-based trojans
Malware and Threat Analysis
MaTa
Analysis Defense/Protection
Specific Threats
ShieldFS
defense against ransomware
Arancino resilient
defending Intel Pin against
anti-instrumentation attacks
Jackdaw simpler
automatic extraction and tagging
of common malware behavior
10. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Ransomware vs. Benign Apps
Storage Driver
File System
IRPLogger
I/O Manager
Kernel mode
User mode
Benign Ransomware? ? ?
Disk drive
MaTa
11. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Ransomware vs. Benign Apps
(1) #Folder-listing (2) #Files-Read (3) #Files-Written
(4) #Files-Renamed (5) File type coverage (6) Write Entropy
MaTa
12. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Detection Models
Disk drive
Process #1 Process #n
Process-centric
Models
System-centric
Model
MaTa
13. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Protection: File Recovery Workflow
Monitor &
COW on first write
Unknown
ShieldFS DetectorMalicious
Restore original copies
Benign
Clean old copies
Start
MaTa
14. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Detection & Recovery Capabilities
● 1483 unseen samples
○ Locky, TeslaCrypt, CryptoLocker, Critroni, TorrentLocker,
CryptoWall, Troldesh, CryptoDefense, PayCrypt, DirtyDecrypt,
ZeroLocker, Cerber, WannaCry
● Files protected: always 100%
○ Even in case of missed detection
● Detection rate: 1436/1483, 96.9%
MaTa
15. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
What’s Next
Limitations of Software-based Detectors
Kernel
Hardware
Detector
OS
App
MaTa
16. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
● Passive undetectable analysis
● Live memory forensics
Live Memory Forensics
PCIe USB
Target/Protected
Machine
(Win 8.1)
Physical Memory
Reader
Malware Detector
USB3380
MaTa
17. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Live Memory Forensics Semantic Gap
● Filling the semantic gap
○ Parse OS data structure
4cf8eafbfa631312 10e669b3e98b67f6
82097ae3fe87145c 8c2fd30bf67781d7
b7bade6b459548f0 2828d603887a888a
04551826d4b467dc bd2aa3a9904e087a
615e9b3d4ab9f7a8 f7e89d698b23a268
Semantic Reconstruction
Raw memory Data Structures
MaTa
20. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Machine learning for security
Historical transaction data ~> model user behavior
Detect frauds as anomalies
Fraud Analysis and Detection
FraudSec
22. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Internet Banking Fraud Detection
Challenges
Difficult to analyze and detect
● Rare and dispersed ~> highly imbalanced dataset
● User behavior dynamic and varying over time
Available information and data is scarce
Existing approach are limited
● Black-box
● Based on synthetic data
FraudSec
23. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Dataset Analysis
Skewed and unbalanced distribution
Number of transactions per user
Undertraining
Amount
FraudSec
24. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Legit Transaction vs Frauds
Frauds rare and hidden in the user’s behavior
Frauds
Transactions
FraudSec
25. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Dataset Analysis
Amount Distribution
Legitimate Fraud
FraudSec
26. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Banksealer: Approach
Local
Profile
(for each user)
Global
Profile
Temporal
Profile
(for each user)
Threefold Approach: Different Granularities
FraudSec
27. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Banksealer: Approach
Local
Profile
(for each user)
Global
Profile
Temporal
Profile
(for each user)
FraudSec
Local Profile characterizes each user’s individual spending pattern to
evaluate the anomaly of each new transaction
28. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Banksealer: Approach
Global
Profile
Temporal
Profile
(for each user)
Local
Profile
(for each user)
FraudSec
Global Profile characterizes “classes” of spending patterns and mitigate
the undertraining problem
29. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Banksealer: Approach
Temporal
Profile
(for each user)
Local
Profile
(for each user)
Global
Profile
FraudSec
Temporal Profile deals with frauds that exploit the repetition of
legitimate-looking transactions over time
33. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Heldroid
Mobile ransomware analysis
Andrototal
Service to analyze suspicious
apps w/ multiple mobile AVs
Mobile Security
Mobile Malware Analysis Platform Security
Grab ‘n Run
Secure dynamic code loading
OpenST
Linux/ARM syscall tracer
MoSec
35. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Example project: DoS attack that exploits
weaknesses in the CANbus link layer.
Cyber-Physical Systems Security
Automotive Industrial Controls & Robots
Example project: a security analysis of
modern industrial robot controllers
CyPhy
36. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
(Industrial) CPS Research
What risks and vulnerabilities?
What real-world threats?
How to detect attacks and improve security?
CyPhy
38. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Motivation: Industry 4.0 Trends
Interconnecte
d
Flexibly
programmable Remotely
exposed
CyPhy
39. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Robosec in a nutshell
Model for a remote attacker (Industry 4.0 context)
Attack Surface Analysis
Discovered generic attack “templates”
Implemented all this with a case study (ABB IRC5)
CyPhy
40. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Threat Scenarios
1) Production Plant Halting
2) Production Outcome Alteration
3) Physical Damage
4) Unauthorized Access
5) Ransom requests to disclose micro defects
CyPhy
41. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Example attack: Control Loop Alteration
!
CyPhy
47. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
Malware Analysis: Results
A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. Barenghi, S. Zanero, F. Maggi
ShieldFS: a self-healing, ransomware-aware filesystem
ACSAC 2017, https://conand.me/publications/continella-shieldfs-2016.pdf - http://shieldfs.necst.it
M. Polino, A. Scorti, F. Maggi, S. Zanero
Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries
DIMVA 2015, https://jinblack.it/static/files/jackdaw.pdf
M. Polino, A. Continella, S. Mariani, S. D’Alessio, L. Fontana, F. Gritti, S. Zanero
Measuring and Defeating Anti-Instrumentation-Equipped Malware
DIMVA 2017, https://jinblack.it/static/files/arancino.pdf - code + dataset: http://arancino.necst.it
MaTa
48. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
M. Carminati, R. Caron, I. Epifani, F. Maggi, S. Zanero
BankSealer: An Online Banking Fraud Analysis and Decision Support System
IFIP SEC 2014, http://www.syssec-project.eu/m/page-media/3/carminati_sec14_bankSealer.pdf
M. Carminati, M. Polino, A. Continella, A. Lanzi, F. Maggi, S. Zanero
Security Evaluation of a Banking Fraud Analysis System
ACM Transactions on Privacy and Security (TOPS), 2018
https://conand.me/publications/carminati-bankingfraud-2018.pdf
Banksealer: Results
FraudSec
M. Carminati, A. Baggio, F. Maggi, U. Spagnolini, S. Zanero
FraudBuster: Temporal Analysis and Detection of Advanced Financial Frauds
DIMVA 2018 (June 2018)
49. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
A. Palanca, E. Evenchick, F. Maggi, S. Zanero
A stealth, selective, link-layer denial-of-service attack against automotive networks
DIMVA 2017, https://link.springer.com/chapter/10.1007/978-3-319-60876-1_9
Cyber-Physical Systems: Results
D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. M. Zanchettin, S. Zanero
An Experimental Security Analysis of an Industrial Robot Controller
IEEE Security & Privacy 2017, http://robosec.org/downloads/paper-robosec-sp-2017.pdf
http://robosec.org