ForSE 2022 Abstracts

Area 1 - Application of Formal Methods Techniques

Full Papers

Paper Nr:	1
Title:	On the Influence of Image Settings in Deep Learning-based Malware Detection
Authors:	Francesco Mercaldo, Fabio Martinelli, Antonella Santone and Vinod P.
Abstract:	Considering the inadequacy of signature-based approaches for detecting malware, especially in the mobile environment, the research community is developing methodologies for detecting malware, especially using deep learning techniques, modeling applications like images. In state-of-the-art, several methods are proposed, each of one using a different kind of images and a different dimension of images: currently these are not standard settings for image preprocessing in Android malware detection. The aim of this paper is to compare different deep learning models performances to understand the best settings in terms of kind of image and image dimension. The idea is to trace a path in order to indicate the optimal settings for processing a dataset for malware detection using deep learning.
Download

Paper Nr:	2
Title:	Tamer: A Sandbox for Facilitating and Automating IoT Malware Analysis with Techniques to Elicit Malicious Behavior
Authors:	Shun Yonamine, Yuzo Taenaka and Youki Kadobayashi
Abstract:	As malware poses a significant threat to IoT devices, the technology to combat IoT malware, like sandbox, has not received enough attention. The majority of efforts in existing researches have focused on x86-flavored binaries that are not used for IoT devices. In fact, we have witnessed that many samples of IoT malware that can be observed in the wild are ARM binaries. In this paper, we propose a novel sandbox for analyzing Linux malware including IoT malware. Our sandbox system, called Tamer, supports dynamic analysis for ARM binaries and has some features to automate and facilitate IoT malware analysis, like the automated interaction mechanism and the fake network environment for dynamic analysis. In addition, our system adopts features, like dynamic binary instrumentation and virtual machine introspection, which may allow retrieving further insights from malware. With the dataset of real-world malware, we demonstrated that our sandbox system can analyze IoT malware which is specifically designed for infecting IoT devices. Through an analysis experiment on a large number of IoT malware samples, we demonstrate a possibility that our system could facilitate a large scale analysis in an automated manner and retrieve further insights from IoT malware.
Download

Paper Nr:	3
Title:	Profile Hidden Markov Model Malware Detection and API Call Obfuscation
Authors:	Muhammad Ali, Monem Hamid, Jacob Jasser, Joachim Lerman, Samod Shetty and Fabio Di Troia
Abstract:	Profile Hidden Markov Models (PHMM) have been used to detect malware samples based on their behavior on the host system and obtained promising results. Since PHMMs are a novel way of categorizing malware and there is limited research work on such detection method, there is no data on the impact that certain obfuscation techniques have on PHMMs. An obfuscation tool that could weaken PHMM based detection has not yet been proposed. Our novel approach is based on applying PHMM detection by training the machine learning models on API calls that are dynamically extracted from the malware samples, and then attempting to elude detection by the same models using obfuscation techniques. Hence, in our paper, we created a PHMM model trained on API call sequences extracted by running malware in a sandbox, then we tried to undermine the detection effectiveness by applying different state-of-the-art API obfuscation techniques to the malware. By implementing sophisticated API calls obfuscation techniques, we were able to reduce the PHMM detection rate from 1.0, without API call obfuscation, to 0.68.
Download

Paper Nr:	4
Title:	NLP-based User Authentication through Mouse Dynamics
Authors:	Hoseong A. Lee, Nikhil Prathapani, Rajesh Paturi, Sarp Parmaksiz and Fabio Di Troia
Abstract:	Insider threat attacks are increasing in most organizations yearly. It is also tough to prevent this type of attack because the threat is within the boundary, making them more dangerous than external threat actors. There can be a situation where a strong authentication layer is implemented for the external users, but due to cost or maintenance effort reasons, the authentication layer for insiders might not have proper security controls. One of the types of insider threat attacks is to exploit established sessions by legitimate users. There are certain applications and operating systems that provide an in-built security mechanism to detect idle sessions and automatically expire the sessions if no action is performed by the user. However, this type of protection is still vulnerable since it cannot really detect if the user who is taking action is the legitimate user or not. In this paper, we propose to use an advanced machine learning model based on Natural Language Processing (NLP) algorithms to authenticate users based on their mouse dynamics in web browser contexts. The model can provide a protective layer that continuously monitors against insider threat attacks. By this method, we can prevent malicious users from accessing unauthorized assets and provide enhanced security to legitimate users.
Download