ForSE 2018 Abstracts


Full Papers
Paper Nr: 1
Title:

Statistical and Combinatorial Analysis of the TOR Routing Protocol - Structural Weaknesses Identified in the TOR Network

Authors:

Eric Filiol, Nicolas J. and Maxence Delong

Abstract: In this paper, we present the results of a deep analysis of TOR routing protocol from a statistical and combinatorial point of view. We have modeled all possible routes of this famous anonymity network exhaustively while taking different parameters into account with the data provided by the TOR foundation only. We have then confronted our theoretical model with the reality on the ground. To do this, we have generated thousands of roads on the TOR network and compared the results obtained with those predicted by the theory. A last step of combinatorial analysis has enabled us to identify critical subsets of Onion routers (ORs) which 33 %, 50 %, 66 % and 75 % of the TOR trafic respectively depends on. We have also managed to extract most of the TOR relay bridges which are non public nodes managed by the TOR foundation. The same results as for the ORs have been observed.

Paper Nr: 2
Title:

VizMal: A Visualization Tool for Analyzing the Behavior of Android Malware

Authors:

Alessandro Bacci, Fabio Martinelli, Eric Medvet and Francesco Mercaldo

Abstract: Malware signature extraction is currently a manual and a time-consuming process. As a matter of fact, security analysts have to manually inspect samples under analysis in order to find the malicious behavior. From research side, current literature is lacking of methods focused on the malicious behavior localization: designed approaches basically mark an entire application as malware or non-malware (i.e., take a binary decision) without knowledge about the malicious behavior localization inside the analysed sample. In this paper, with the twofold aim of assisting the malware analyst in the inspection process and of pushing the research community in malicious behavior localization, we propose VizMal, a tool for visualizing the dynamic trace of an Android application which highlights the portions of the application which look potentially malicious. VizMal performs a detailed analysis of the application activities showing for each second of the execution whether the behavior exhibited is legitimate or malicious. The analyst may hence visualize at a glance when at to which degree an application execution looks malicious.

Paper Nr: 3
Title:

APT RPG: Design of a Gamified Attacker/Defender Meta Model

Authors:

Robert Luh, Marlies Temper, Simon Tjoa and Sebastian Schrittwieser

Abstract: We present a meta model for comprehensive, time-enabled attacker/defender behavior ready for incorporation in a dynamic, imperfect information multi-player game that derives significant parts of its ruleset from established information security sources such as STIX, CAPEC, CVE/CWE and NIST SP800-53. Concrete attack patterns, vulnerabilities, and mitigating controls are mapped to their counterpart strategies and actions through practical, data-centric mechanisms. The gamified model furthermore considers and defines a wide range of actors, assets, and actions, thereby enabling a detailed assessment of cyber risks while giving analysts the opportunity to explore specific attack scenarios in the context of their own infrastructure.

Paper Nr: 4
Title:

Health State of Google’s PlayStore - Finding Malware in Large Sets of Applications from the Android Market

Authors:

Alexandre Dey, Loic Beheshti and Marie-Kerguelen Sido

Abstract: Android has, to this day, more than 80% of the mobile OS market share. Android users also have access to more than 2 million applications via the Google Playstore. The Playstore being an official market, users tend to trust the applications they find in it, and therefore, the store is an interesting platform to spread malware. We want to provide a health state of this store by finding the proportion of malware that managed to get published in it. In this paper, we explain how we developed the crawler that massively downloads the application directly from the Playstore. Then we describe what features we extract from the applications and how we classified them with the help of an Artfificial Neural Network. Our study confirms that there are malicious applications on the Playstore. The proportion of them is around 2%, which corresponds to about 40,000 officially downloadable malware.

Paper Nr: 5
Title:

Acoustic Gait Analysis using Support Vector Machines

Authors:

Jasper Huang, Fabio Di Troia and Mark Stamp

Abstract: Gait analysis, defined as the study of human locomotion, can provide valuable information for low-cost analytic and classification applications in security, medical diagnostics, and biomechanics. In comparison to visual-based gait analysis, audio-based gait analysis offers robustness to clothing variations, visibility issues, and angle complications. Current acoustic techniques rely on frequency-based features that are sensitive to changes in footwear and floor surfaces. In this research, we consider an approach to surface-independent acoustic gait analysis based on time differences between consecutive steps. We employ support vector machines (SVMs) for classification. Our approach achieves good classification rates with high discriminative one-vs-all capabilities and we believe that our technique provides a promising avenue for future development.

Paper Nr: 9
Title:

Deep Learning versus Gist Descriptors for Image-based Malware Classification

Authors:

Sravani Yajamanam, Vikash Raja Samuel Selvin, Fabio Di Troia and Mark Stamp

Abstract: Image features known as ``gist descriptors'' have recently been applied to the malware classification problem. In this research, we implement, test, and analyze a malware score based on gist descriptors, and verify that the resulting score yields very strong classification results. We also analyze the robustness of this gist-based scoring technique when applied to obfuscated malware, and we perform feature reduction to determine a minimal set of gist features. Then we compare the effectiveness of a deep learning technique to this gist-based approach. While scoring based on gist descriptors is effective, we show that our deep learning technique performs equally well. A potential advantage of the deep learning approach is that there is no need to extract the gist features when training or scoring.

Paper Nr: 10
Title:

Cluster Analysis for Driver Aggressiveness Identification

Authors:

Fabio Martinelli, Francesco Mercaldo, Vittoria Nardone, Albina Orlando and Antonella Santone

Abstract: In the last years, several safety automotive concepts have been proposed, for instance the cruise control and the automatic brakes systems. The proposed systems are able to take the control of the vehicle when a dangerous situation is detected. Less effort was produced in driver aggressiveness in order to mitigate the dangerous situation. In this paper we propose an approach in order to identify the driver aggressiveness exploring the usage of unsupervised machine learning techniques. A real world case study is performed to evaluate the effectiveness of the proposed method.

Paper Nr: 11
Title:

Advancing Protocol Fuzzing for Industrial Automation and Control Systems

Authors:

Steffen Pfrang, David Meier, Michael Friedrich and Jürgen Beyerer

Abstract: Testing for security vulnerabilities is playing an important role in the changing domain of industrial automation and control systems. These systems are increasingly connected to each other via networking technology and are faced with new cyber threats. To improve the security properties of such systems, their robustness must be ensured. Security testing frameworks aim at enabling the assurance of robustness even at the time of development and can play a key role in bringing security into the industrial domain.\\ Fuzzing describes a technique to discover vulnerabilities in technical systems and is best known from its usage in IT security testing. It uses randomly altered data to provoke unexpected behaviour and can be used in combination with regular unit testing. Combined with the power of fuzzing, the effectiveness of security testing frameworks can be increased. In this work, different fuzzing tools were evaluated for their properties and then compared with the requirements for an application in the industrial domain. As no fuzzer was fully satisfying these requirements, a new fuzzer, combining the strength of different others, was designed and implemented, and then evaluated. The evaluation includes a real-world application where multiple vulnerabilities in industrial automation components could be identified.

Paper Nr: 12
Title:

Attacks on Industrial Control Systems - Modeling and Anomaly Detection

Authors:

Oliver Eigner, Philipp Kreimel and Paul Tavolato

Abstract: Industrial control systems play a crucial role in a digital society, particularly when they are part of critical infrastructures. Unfortunately traditional intrusion defense strategies for IT systems are often not applicable in industrial environments. A continuous monitoring of the operation is necessary to detect abnormal behavior of a system. This paper presents an anomaly-based approach for detection and classification of attacks against industrial control systems. In order to stay close to practice we set up a test plant with sensors, actuators and controllers widely used in industry, thus, providing a test environment as close as possible to reality. First, we defined a formal model of normal system behavior, determining the essential parameters through machine learning algorithms. The goal was the definition of outlier scores to differentiate between normal and abnormal system operations. This model of valid behavior is then used to detect anomalies. Further, we launched cyber-attacks against the test setup in order to create an attack model by using naive Bayes classifiers. We applied the model to data from a real industrial plant. The test showed that the model could be transferred to different industrial control systems with reasonable adaption and training effort.

Paper Nr: 13
Title:

Identifying Insecure Features in Android Applications using Model Checking

Authors:

Fabio Martinelli, Francesco Mercaldo and Vittoria Nardone

Abstract: Nowadays Android is the most widespread operating system. This is the reason why malware writers target it. Both researchers and commercial antimalware provide several solutions to fix and detect this phenomenon. They analyze one single application per time using combinations of static, dynamic and behavior based techniques. However, one of the last new threats is the collusion attack. In order to perpetrate this attack the malicious behaviour is divided between two or more applications: collusion refers to multiple applications that accomplish their fragment of malicious behaviour and then communicate using the Inter Component Communication mechanism provided by Android platform. Basically the colluded applications intentionally put in view private and sensitive information. The aim of this paper is to investigate whether legitimate and malware applications share private data. One way to exchange data between different applications in Android environment is through Shared Preferences. In this preliminary work we investigate whether an application transfers data using Shared Preferences with public visibility.

Short Papers
Paper Nr: 8
Title:

Autocorrelation Analysis of Financial Botnet Traffic

Authors:

Prathiba Nagarajan, Fabio Di Troia, Thomas H. Austin and Mark Stamp

Abstract: A botnet consists of a network of infected computers that can be controlled remotely via a command and control (C&C) server. Typically, a botnet requires frequent communication between a C&C server and the infected nodes. Previous approaches to detecting botnets have included various machine learning techniques based on features extracted from network traffic. In this research, we conduct autocorrelation analysis of traffic generated by financial botnets, and we show that periodicity is a highly distinguishing feature for detecting such botnets.