Malware comes in many different forms and offers an attacker utility at multiple stages of the cyber kill chain, whether it’s stealing data, remote exploitation, or establishing persistence on a machine. With the advent of mobile computing, malware distribution has become an even more efficient, scalable, profit-generating mechanism. Mobile apps can collect sensitive data, generate fraudulent ad revenue, or commandeer the device’s compute power for use in a botnet.
Unlike some threats that can be sporadic and ephemeral, such as network intrusion, the prevalence of malware enables us to harvest examples over time and use them as a case study to evaluate how malicious actions evolve and how we can design automated systems to detect and classify them in spite of their dynamic, evasive properties.
To do this, we need to better understand current trends in malware and how to represent them in more effective abstractions which often requires developing scalable program analysis techniques that can be embedded in large scale analysis pipelines. Crafting suitable representations of malicious behaviour, both statically and dynamically, allows us to employ statistical techniques such as machine learning that can generalise to new, previously unseen, samples.
Related Publications
IEEE S&P Magazine 2023 · IEEE Security & Privacy Magazine, 2023
@article{CavKinPen23,
author = {Cavallaro, Lorenzo and Kinder, Johannes and Pendlebury, Feargus and Pierazzi, Fabio},
journal = {IEEE Security \& Privacy Magazine},
title = {Are Machine Learning Models for Malware Detection Ready for Prime Time?},
year = {2023},
volume = {21},
number = {2},
pages = {53-56},
doi = {10.1109/MSEC.2023.3236543},
}
AISec 2023 · In Prof. of the ACM Workshop on Artificial Intelligence and Security, 2023
@inproceedings{chow2023driftforensics,
title = {Drift Forensics of Malware Classifiers},
author = {Chow, Theo and Kan, Zeliang and Linhardt, Lorenz and Cavallaro, Lorenzo and Arp, Daniel and Pierazzi, Fabio},
booktitle = {Prof. of the {ACM} Workshop on Artificial Intelligence and Security ({AISec})},
year = {2023},
}
IEEE S&P 2023 · 44th IEEE Symposium on Security and Privacy, 2023
@article{yang2022jigsaw,
author = {Limin Yang, Zhi Chen, Jacopo Cortellazzi, Feargus Pendlebury, Kevin Tu, Fabio Pierazzi, Lorenzo Cavallaro, Gang Wang},
title = {Jigsaw Puzzle: Selective Backdoor Attack
to Subvert Malware Classifiers},
booktitle = {{IEEE} Symposium on Security and Privacy},
volume = {abs/2202.05470},
year = {2023},
url = {https://arxiv.org/abs/2202.05470},
eprint = {2202.05470},
}
DLSP 2023 · 6th IEEE Workshop on Deep Learning Security and Privacy, 2023
@inproceedings{chen23dlsp,
author = {Zhi Chen and Zhenning Zhang and Zeliang Kan and Limin Yang and and Jacopo Cortellazzi and Feargus Pendlebury and Fabio Pierazzi and Lorenzo Cavallaro and Gang Wang},
title = {Is It Overkill? Analyzing Feature-Space Concept Drift in Malware Detectors},
booktitle = {{IEEE} Workshop on Deep Learning Security and Privacy ({DLSP})},
year = {2023},
}
USENIX Sec 2022 | Distinguished Paper Award · 31st USENIX Security Symposium, 2022
@inproceedings{arp2022dodo,
author = {Daniel Arp and Erwin Quiring and Feargus Pendlebury and Alexander Warnecke and Fabio Pierazzi and Christian Wressnegger and Lorenzo Cavallaro and Konrad Rieck},
title = {Dos and Don'ts of Machine Learning in Computer Security},
booktitle = {31st USENIX Security Symposium},
year = {2022},
}
IEEE S&P 2022 · 43rd IEEE Symposium on Security and Privacy, 2022
@inproceedings{barbero2022transcendent,
author = {Federico Barbero and Feargus Pendlebury and Fabio Pierazzi and Lorenzo Cavallaro},
title = {Transcending Transcend: Revisiting Malware Classification in the Presence of Concept Drift},
booktitle = {{IEEE} Symposium on Security and Privacy},
year = {2022},
}
@article{labacacastro2022uaps,
author = {Raphael Labaca-Castro and Luis Muñoz-González and Feargus Pendlebury and Gabi Dreo Rodosek and Fabio Pierazzi and Lorenzo Cavallaro},
title = {Realizable Universal Adversarial Perturbations for Malware},
journal = {CoRR},
volume = {abs/2102.06747},
year = {2022},
url = {https://arxiv.org/abs/2102.06747},
eprint = {2102.06747},
archivePrefix = {arXiv}
}
AISec 2021 · 14th ACM Workshop on Artificial Intelligence and Security, 2021
@inproceedings{kan2021adaptation,
author = {Zeliang Kan and Feargus Pendlebury and Fabio Pierazzi and Lorenzo Cavallaro},
title = {Investigating Labelless Drift Adaptation for Malware Detection},
booktitle = {{ACM} Workshop on Artificial Intelligence and Security ({AISec})},
year = {2021},
}
AISec · 14th ACM Workshop on Artificial Intelligence and Security, 2021
@inproceedings{andresini2021insomnia,
author = {Giuseppina Andresini and Feargus Pendlebury and Fabio Pierazzi and Corrado Loglisci and Annalisa Appice and Lorenzo Cavallaro},
title = {{INSOMNIA}: Towards Concept-Drift Robustness in Network Intrusion Detection},
journal = {{ACM} Workshop on Artificial Intelligence and Security ({AISec})},
year = {2021},
}
CSUR 2024 · ACM Computing Surveys, 2024
@article{Grayetal2024,
author = {Gray, Jason and Sgandurra, Daniele and Cavallaro, Lorenzo and Blasco Alis, Jorge},
title = {Identifying Authorship in Malicious Binaries: Features, Challenges \& Datasets},
journal = {ACM Comput. Surv.},
issue_date = {August 2024},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {56},
number = {8},
month = {apr},
year = {2024},
articleno = {212},
numpages = {36},
url = {https://doi.org/10.1145/3653973},
doi = {10.1145/3653973},
issn = {0360-0300},
}
IEEE S&P 2020 · 41st IEEE Symposium on Security and Privacy, 2020
@inproceedings{pierazzi2020problemspace,
author = {Fabio Pierazzi and Feargus Pendlebury and Jacopo Cortellazzi and Lorenzo Cavallaro},
booktitle = {2020 IEEE Symposium on Security and Privacy (SP)},
title = {Intriguing Properties of Adversarial ML Attacks in the Problem Space},
year = {2020},
volume = {},
issn = {2375-1207},
pages = {1308-1325},
doi = {10.1109/SP40000.2020.00073},
url = {https://doi.ieeecomputersociety.org/10.1109/SP40000.2020.00073},
publisher = {IEEE Computer Society},
}
IEEE TIFS 2020 · IEEE Trans. Information Forensics and Security, 2020
@article{DBLP:journals/tifs/delia,
author = {Daniele Cono D'Elia and Emilio Coppa and Federico Palmaro and Lorenzo Cavallaro},
title = {{On the Dissection of Evasive Malware}},
journal = {{IEEE Trans. Information Forensics and Security}},
volume = {15},
pages = {2750--2765},
year = {2020},
url = {https://doi.org/10.1109/TIFS.2020.2976559},
doi = {10.1109/TIFS.2020.2976559},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {IEEE TIFS}
}
USENIX Sec 2019 · 28th USENIX Security Symposium, 2019
@inproceedings{pendlebury2019tesseract,
author = {Feargus Pendlebury and Fabio Pierazzi and Roberto Jordaney and Johannes Kinder and Lorenzo Cavallaro},
title = {{TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time}},
booktitle = {28th USENIX Security Symposium},
year = {2019},
address = {Santa Clara, CA},
publisher = {USENIX Association},
note = {USENIX Sec}
}
RAID 2018 · 21st International Symposium on Research in Attacks, Intrusions and Defenses, 2018
@inproceedings{DBLP:conf/raid/RizzoCK18,
author = {Claudio Rizzo and Lorenzo Cavallaro and Johannes Kinder},
title = {BabelView: Evaluating the Impact of Code Injection Attacks in Mobile Webviews},
booktitle = {{RAID}},
series = {Lecture Notes in Computer Science},
volume = {11050},
pages = {25--46},
publisher = {Springer},
year = {2018}
}
USENIX Sec 2017 · 26th USENIX Security Symposium, 2017
@inproceedings {jordaney2017,
author = {Roberto Jordaney and Kumar Sharad and Santanu K. Dash and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
title = {{Transcend: Detecting Concept Drift in Malware Classification Models}},
booktitle = {26th USENIX Security Symposium},
year = {2017},
address = {Vancouver, BC},
url = {https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/jordaney},
publisher = {USENIX Association},
note = {USENIX Sec}
}
IEEE TIFS 2017 · IEEE Trans. Information Forensics and Security, 2017
@article{DBLP:journals/tifs/0029LBKTLC17,
author = {Li Li and Daoyuan Li and Tegawende F. Bissyande and Jacques Klein and Yves Le Traon and David Lo and Lorenzo Cavallaro},
title = {{Understanding Android App Piggybacking: A Systematic Study of Malicious Code Grafting}},
journal = {{IEEE Trans. Information Forensics and Security}},
volume = {12},
number = {6},
pages = {1269--1284},
year = {2017},
url = {https://doi.org/10.1109/TIFS.2017.2656460},
doi = {10.1109/TIFS.2017.2656460},
timestamp = {Sun, 28 May 2017 13:17:25 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/journals/tifs/0029LBKTLC17},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {IEEE TIFS}
}
MSR 2017 · 14th International Conference on Mining Software Repositories, 2017
@inproceedings{DBLP:conf/msr/HurierSDBTKC17,
author = {Mederic Hurier and Guillermo Suarez-Tangil and Santanu Kumar Dash and Tegawende F. Bissyande and Yves Le Traon and Jacques Klein and Lorenzo Cavallaro},
title = {{Euphony: Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware}},
booktitle = {Proceedings of the 14th International Conference on Mining Software Repositories, {MSR} 2017, Buenos Aires, Argentina, May 20-28},
pages = {425--435},
year = {2017},
doi = {10.1109/MSR.2017.57},
timestamp = {Fri, 07 Jul 2017 14:06:35 +0200},
biburl = {http://dblp.uni-trier.de/rec/bib/conf/msr/HurierSDBTKC17},
bibsource = {dblp computer science bibliography, http://dblp.org},
note = {MSR}
}
ACM CSUR 2017 · ACM Computing Surveys, 2017
@article{Tam:2017:EAM:3022634.3017427,
author = {Kimberly Tam and Ali Feizollah and Badrul Nor Anuar and Rosli Salleh and Lorenzo Cavallaro},
title = {{The Evolution of Android Malware and Android Analysis Techniques}},
journal = {ACM Compututing Surveys},
issue_date = {February 2017},
volume = {49},
number = {4},
month = {January},
year = {2017},
issn = {0360-0300},
pages = {76:1--76:41},
articleno = {76},
numpages = {41},
url = {http://doi.acm.org/10.1145/3017427},
doi = {10.1145/3017427},
acmid = {3017427},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {Android, classification, detection, dynamic analysis, malware, static analysis},
note = {ACM CSUR}
}
ACM CODASPY 2017 · 7th ACM Conference on Data and Application Security and Privacy, 2017
@inproceedings{codaspy17,
author = {Guillermo Suarez-Tangil and Santanu Kumar Dash and Mansour Ahmadi and Johannes Kinder and Giorgio Giacinto and Lorenzo Cavallaro},
title = {{DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware}},
booktitle = {{Proceedings of the Seventh ACM Conference on Data and Application Security and Privacy}},
year = {2017},
month = {March},
url = {http://dx.doi.org/10.1145/3029806.3029825},
doi = {10.1145/3029806.3029825},
note = {ACM CODASPY}
}
TR@RHUL 2016 · Technical Report, 2016
@TechReport{RHUL2016,
author = {Roberto Jordaney and Zhi Wang and Davide Papini and Ilia Nouretdinov and Lorenzo Cavallaro},
title = {{Misleading Metrics: On Evaluating Machine Learning for Malware with Confidence}},
institution = {Royal Holloway, University of London},
year = {2016},
number = {2016-1},
note = {TR@RHUL}
}
IEEE S&P-MoST 2016 · IEEE Security and Privacy Workshops: Mobile Security Technologies, 2016
@inproceedings{most16-droidscribe,
author = {Santanu Kumar Dash and Guillermo Suarez-Tangil and Salahuddin Khan and Kimberly Tam and Mansour Ahmadi and Johannes Kinder and Lorenzo Cavallaro},
title = {DroidScribe: Classifying Android Malware Based on Runtime Behavior},
booktitle = {IEEE Security and Privacy Workshops: Mobile Security Technologies},
year = 2016,
month = {May},
note = {IEEE S&P-MoST}
}
FGCS 2016 · Future Generation Computer Systems, 2016
@Article{gurulian16:_you_cant_touch_this,
author = {Iakovos Gurulian and Konstantinos Markantonakis and Lorenzo Cavallaro and Keith Mayes},
title = {{You Can't Touch This: Consumer-centric Android Application Repackaging Detection}},
journal = {Future Generation Computer Systems},
year = 2016,
volume = 65,
pages = {1-9},
month = {December},
note = {FGCS}
}
ACM CCS-AISec 2016 · 9th ACM CCS Workshop on Artificial Intelligence and Security, 2016
@inproceedings{aisec16,
author = {Amit Deo and Santanu Kumar Dash and Guillermo Suarez-Tangil and Volodya Vovk and Lorenzo Cavallaro},
title = {{Prescience: Probabilistic Guidance on the Retraining Conundrum for Malware Detection}},
booktitle = {9th ACM CCS Workshop on Artificial Intelligence and Security},
year = {2016},
note = {ACM CCS-AISec}
}
SLDS 2015 · 3rd International Symposium of Statistical Learning and Data Science, 2015
@inproceedings{cherubin,
author = {Giovanni Cherubin and Ilia Nouretdinov and Alexander Gammerman and Roberto Jordaney and Zhi Wang and Davide Papini and Lorenzo Cavallaro},
title = {{Conformal Clustering and Its Application to Botnet Traffic}},
booktitle = {Statistical Learning and Data Sciences, 3rd International Symposium},
year = {2015},
note = {SLDS}
}
NDSS 2015 · 22nd Annual Network and Distributed System Security Symposium, 2015
@InProceedings{copperdroid-ndss2015,
author = {Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, and Lorenzo Cavallaro},
title = {{CopperDroid: Automatic Reconstruction of Android Malware Behaviors}},
booktitle = {22nd Annual Network and Distributed System Security Symposium, San Diego, California, USA},
year = 2015,
month = {February},
note = {NDSS}
}