Design and implementation of robust systems for secure malware detection

Malicious software (malware) have significantly increased in terms of number and effectiveness during the past years. Until 2006, such software were mostly used to disrupt network infrastructures or to show coders’ skills. Nowadays, malware constitute a very important source of economical profit, and are very difficult to detect. Thousands of novel variants are released every day, and modern obfuscation techniques are used to ensure that signature-based anti-malware systems are not able to detect such threats. This tendency has also appeared on mobile devices, with Android being the most targeted platform. To counteract this phenomenon, a lot of approaches have been developed by the scientific community that attempt to increase the resilience of anti-malware systems. Most of these approaches rely on machine learning, and have become very popular also in commercial applications. However, attackers are now knowledgeable about these systems, and have started preparing their countermeasures. This has lead to an arms race between attackers and developers. Novel systems are progressively built to tackle the attacks that get more and more sophisticated. For this reason, a necessity grows for the developers to anticipate the attackers’ moves. This means that defense systems should be built proactively, i.e., by introducing some security design principles in their development. The main goal of this work is showing that such proactive approach can be employed on a number of case studies. To do so, I adopted a global methodology that can be divided in two steps. First, understanding what are the vulnerabilities of current state-of-the-art systems (this anticipates the attacker’s moves). Then, developing novel systems that are robust to these attacks, or suggesting research guidelines with which current systems can be improved. This work presents two main case studies, concerning the detection of PDF and Android malware. The idea is showing that a proactive approach can be applied both on the X86 and mobile world. The contributions provided on this two case studies are multifolded. With respect to PDF files, I first develop novel attacks that can empirically and optimally evade current state-of-the-art detectors. Then, I propose possible solutions with which it is possible to increase the robustness of such detectors against known and novel attacks. With respect to the Android case study, I first show how current signature-based tools and academically developed systems are weak against empirical obfuscation attacks, which can be easily employed without particular knowledge of the targeted systems. Then, I examine a possible strategy to build a machine learning detector that is robust against both empirical obfuscation and optimal attacks. Finally, I will show how proactive approaches can be also employed to develop systems that are not aimed at detecting malware, such as mobile fingerprinting systems. In particular, I propose a methodology to build a powerful mobile fingerprinting system, and examine possible attacks with which users might be able to evade it, thus preserving their privacy. To provide the aforementioned contributions, I co-developed (with the cooperation of the researchers at PRALab and Ruhr-Universität Bochum) various systems: a library to perform optimal attacks against machine learning systems (AdversariaLib), a framework for automatically obfuscating Android applications, a system to the robust detection of Javascript malware inside PDF files (LuxOR), a robust machine learning system to the detection of Android malware, and a system to fingerprint mobile devices. I also contributed to develop Android PRAGuard, a dataset containing a lot of empirical obfuscation attacks against the Android platform. Finally, I entirely developed Slayer NEO, an evolution of a previous system to the detection of PDF malware. The results attained by using the aforementioned tools show that it is possible to proactively build systems that predict possible evasion attacks. This suggests that a proactive approach is crucial to build systems that provide concrete security against general and evasion attacks.

Caratterizzazione geo-petrografica, petrologica e geochimica di rocce anatettiche del nord Sardegna

The High Grade Metamorphic Complex (HGMC) of Variscan basement of north Sardinia is characterized by the widespread of migmatites. This study is focused on two localities of NE Sardinia (Porto Ottiolu and Punta Sirenella) where ortho- and para-derivates migmatites outcrop. A geological and structural survey was carried out, leading to the realization of a geological schematic map of Punta Sirenella area. Several samples of different rocks were collected for petrographic, micro-structural minero-chemical and geochemical analyses. In the Porto Ottiolu area three main deformation phases have been identified; D1, characterized by tight folds with sub-horizontal axes, rarely preserved in paragneisses; D2, that produce a pervasive foliation oriented N100° 45°SW marked by biotite and sillimanite blastesis and locally transposed by shear zone oriented N170°; D3, late deformation phase caused symmetric folds with sub-horizontal axes with no axial plane schistosity. Leucosomes form pods and layers along S2 schistosity but also leucosomes along shear zones have been observed. In the Punta Sirenella area, three main deformation phases have been identified; D1, is manifested by the transposition of centimeter-sized leucosomes and is rarely observed in paragneisses were produce open folds with sub-vertical axes; D2, NW-SE oriented on whose XY plane three mineralogical lineation (quartz+plagioclase, fibrolite+quarz and muscovite) lie; D3, a ductile-brittle deformation phase that produce a mylonitc S3 foliation that locally become the most evident schistosity in the field oriented N140° steeply dipping toward NE. In both areas, leucosomes of sedimentary-derived migmatites are generally trondhjemitic pointing out for a H2O fluxed melting reaction, but also granitic leucosomes have been found, produced by muscovite dehydration melting. Leucosomes of migmatitic orthogneiss instead, have granitic compositions. Migmatization started early, during the compressional and crustal thickening (sin-D1, pre-D2) and was still active during exhumation stage. For each studied outcrop of migmatite pseudosections for the average mesosome composition have been calculated; these pseudosections have been used to model the P-T conditions of anatexis on the basis of the melt volume (%) of melt, Si/Al and Na/K molar ratios, modal content of garnet and Si content in metamorphic white mica. Further pseudosections have been calculated for the average composition of leucosomes in order to define the P-T conditions of the end of the crystallization through intersection of solidus curve and isopleths of Si content in white mica and/or XMg ratio in biotite. Thermodynamic modeling on ortho- and sedimentary-derived migmatites of Punta Sirenella yield P-T conditions of 1.1-1.3 GPa - 670-740°C for migmatitic event and 0.75-0.90 GPa - 660-730°C for the end of crystallization. These conditions are fit well with previous studies on adjacent rocks. Modeling of Porto Ottiolu ortho- and sedimentary-derived migmatites yield P-T conditions of 0.85-1.05 GPa - 690-730°C for migmatitic event and 0.35-0.55 GPa - 630-690°C strongly affected by re-equilibration during exhumation, expecially for crystallization conditions. Geochemical analyses of samples belonging to Porto Ottiolu and Punta Sirenella orthogneisses show a strong link with those of other orthogneisses outcropping in NE Sardinia (for instance, Lode-Mamone and Golfo Aranci) that are considered the intrusive counterparts of middle-Ordovician metavolcanics rocks outcropping in the Nappe Zone. Thus, the studied ortogneiss bodies, even lacking radiometric data, can be considered as belonging to the same magmatic cycle.