ForSE 2019 Abstracts


Full Papers
Paper Nr: 1
Title:

Solving a Hard Instance of Suspicious Behaviour Detection with Sparse Binary Vectors Clustering

Authors:

Eric Filiol and Abhilash Hota

Abstract: In this article we present a study dealing with the problem of detecting a very small subset of suspicious and malicious behaviours represented by sparse binary vectors in a population of individuals significantly larger. The main problem lies in the fact that malicious behaviours, in the case of sparse vectors, are difficult to distinguish from normal behaviours. Despite the fact that vectors are apparently strongly unbalanced, this property cannot be exploited since the objects to classify (behaviours) do not exhibit strongly enough frequencies discrepancy. It is not possible to work on detection directly and it is therefore necessary to go through a preliminary phase of vector partitioning (representing normal or malicious behaviour) to select a reduced subset concentrating with a high probability most of the vectors corresponding to malicious behaviours. We have been working on a set of anonymized real data from terrorism-related cases.

Paper Nr: 2
Title:

Systematic Characterization of a Sequence Group

Authors:

Paul Irolla

Abstract: Finding similarities in a group of sequences often involves studying their common subsequences or their common substrings. In our case, Android malware detection/classification, we study the event sequences coming from the dynamic analysis of applications. For several reasons, these sequences are mostly comprised of benign events. This specific set up makes classic sequence similarity criteria useless without any machine learning. The sequence membership to a group is characterized by subsequences of any length. Heuristic algorithms for extracting short subsequences already exist, but no attempt to solve the problem systematically has been proposed. We propose a new algorithm for building the Embedding Antichain from the set of common subsequences (noted AΓ). We show that this mathematical representation is very compact and embed all common subsequences of a sequence set. It is a tool for characterizing a group of sequences. The construction of this representation reveals several complex subproblems. A few of them are solved in this article, along with practical implementations. Moreover, we solved different reduced problems and provided suboptimal solutions for the others. This article opens a new path that has cross-domain applications. Specifically, in the malware detection/classification domain the Systematic Characterization of Sequence Groups is a tool that can be used for automatic generation of malware family signatures and detection heuristics. We experimented AΓ for building an Android malware family detector, on the sequences of executed Android API calls and it yields an accuracy of 97.74%.

Paper Nr: 3
Title:

Deep Neural Networks for Android Malware Detection

Authors:

Abhilash Hota and Paul Irolla

Abstract: In this paper we present a study of the application of deep neural networks to the problem of pattern matching in Android malware detection. Over the last few years malware have been proliferating and malware authors keep developing new techniques to bypass existing detection methods. Machine learning techniques in general and deep neural networks in particular have been very successful in recent years in a variety of classification tasks. We study various deep neural networks as potential solutions for pattern matching in malware detection systems. The effectiveness of the different architectures is compared and judged as a potential replacement for traditional approaches to malware detection in Android systems.

Paper Nr: 8
Title:

A Comparative Analysis of Android Malware

Authors:

Neeraj Chavan, Fabio Di Troia and Mark Stamp

Abstract: In this paper, we present a comparative analysis of benign and malicious Android applications, based on static features. In particular, we focus our attention on the permissions requested by an application. We consider both binary classification of malware versus benign, as well as the multiclass problem, where we classify malware samples into their respective families. Our experiments are based on substantial malware datasets and we employ a wide variety of machine learning techniques, including decision trees and random forests, support vector machines, logistic model trees, AdaBoost, and artificial neural networks. We find that permissions are a strong feature and that by careful feature engineering, we can significantly reduce the number of features needed for highly accurate detection and classification.

Paper Nr: 10
Title:

Fuzzy Logic Decision based Collaborative Privacy Management Framework for Online Social Networks

Authors:

Gulsum Akkuzu, Benjamin Aziz and Mo Adda

Abstract: Online Social Networks (OSNs) have become one of the most popular implement for interacting with people all over the world and sharing data with them. These data sometimes may be a co-owned data which involves multiple users, sharing co-owned data can cause privacy violation if co-owners are not happy with the owner’s sharing privacy settings. To tackle privacy issues on co-owned data, collaborative privacy management has become a popular research area in recent years. In this work, we provide a fuzzy logic decision based collaborative privacy management framework for OSNs. We use data sensitivity value and confidence value in targeted group as input variables of fuzzy system. We also use trust values between users since our framework needs to calculate trust loss and gains for reputation value.

Paper Nr: 12
Title:

Analytical Modelling of Cyber-physical Systems

Authors:

Paul Tavolato and Christina Tavolato-Wötzl

Abstract: In connection with anomaly detection in cyber-physical systems, we suggest in this paper a new way of modelling large systems consisting of a huge number of sensors, actuators and controllers. We base the approach on analytical methods usually used in kinetic gas theory, where one tries to describe the overall behaviour of a gas without looking at each molecule separately. We model the system as a multi-agent network and derive predictions on the behaviour of the network as a whole. These predictions can then be used to monitor the operation of the system. If the deviation between the predictions and the measured attributes of the operational cyber-physical system is sufficiently large, the monitoring system can raise an alarm. This way of modelling the normal behaviour of a cyber-physical system has the advantage over machine learning methods mainly used for this purpose, that it is not based on the effective operation of the system during a training phase, but rather on the specification of the system and its intended use. It will detect anomalies in the system’s operation independent of its source – may it be an attack, a malfunction or a faulty implementation.

Paper Nr: 13
Title:

Spyware Detection using Temporal Logic

Authors:

Fausto Fasano, Fabio Martinelli, Francesco Mercaldo, Vittoria Nardone and Antonella Santone

Abstract: In recent years smartphones have become essential in daily life. A user can perform several operations through a smarthphone since they are increasingly similar to a personal computer. Furthermore, smartphones collect a large number of sensitive information. The most widespread mobile operating system is Android, this is the reason why malware writers target this platform. Malicious behaviours able to steal private information are called spyware. This paper aims to detect this kind of threat in mobile environment: we present a preliminary framework able to recognize Android spyware. It is based on model checking technique and it uses temporal logic formulae to identify malicious behaviours. We evaluate the proposed framework using a synthetic dataset obtaining a precision equal to 0.98 and a recall equal to 1.

Paper Nr: 15
Title:

Modeling and Simulation of Attacks on Cyber-physical Systems

Authors:

Cinzia Bernardeschi, Andrea Domenici and Maurizio Palmieri

Abstract: This paper presents a methodology for the formal modeling of security attacks on cyber-physical systems, and the analysis of their effects on the system using logic theories. We consider attacks only on sensors and actuators. A simulated attack can be triggered internally by the simulation algorithm or interactively by the user, and the effect of the attack is a set of assignments to the variables. The effects of the attacks are studied by injecting attacks in the system model and simulating them. The overall system, including the attacks, the system dynamics and the control part, is co-simulated. The INTO-CPS framework has been used for co-simulation, and the methodology is applied to the Line follower robot case study of the INTO-CPS project.

Short Papers
Paper Nr: 6
Title:

A Systematic Approach to Choose the Data Warehouse Architecture

Authors:

Antonello Venditti and Fausto Fasano

Abstract: In the design phase of a data warehouse, an appropriate architecture must be selected. To this aim, the engineer assesses various alternatives, depending on the requirements of the specific context. Usually, he chooses it heuristically, based on his experience. However, it must be considered that there are many parameters to be taken into consideration. In this regard, many security problems are due to poor design, as well as the performance may not be appropriate to the reference context, or the expected costs and implementation times could be exceeded. A method of choosing the architecture based on heuristics does not always require a prior and systematic evaluation of all the parameters that distinguish the different architectures and, therefore, the system is easily exposed to various problems, the first of which is the system security. Instead, all these parameters should always be considered in a systematic way, without excluding anyone, to define the importance they have in the reference context. In this paper, we propose a systematic approach to support the students and engineers during the choice of the data warehouse architecture, taking into account the needs of the specific context in which the data warehouse will be used. This approach requires a prior detection of the importance of the parameters characterizing the different architectures in the reference context. Then, a global value is defined for each architecture, which allows to compare them. Furthermore, we present an empirical evaluation of the effectiveness of the proposed approach.

Paper Nr: 7
Title:

Transfer Learning for Image-based Malware Classification

Authors:

Niket Bhodia, Pratikkumar Prajapati, Fabio Di Troia and Mark Stamp

Abstract: In this paper, we consider the problem of malware detection and classification based on image analysis. We convert executable files to images and apply image recognition using deep learning (DL) models. To train these models, we employ transfer learning based on existing DL models that have been pre-trained on massive image datasets. We carry out various experiments with this technique and compare its performance to that of an extremely simple machine learning technique, namely, k-nearest neighbors (k-NN). For our k-NN experiments, we use features extracted directly from executables, rather than image analysis. While our image-based DL technique performs well in the experiments, surprisingly, it is outperformed by k-NN. We show that DL models are better able to generalize the data, in the sense that they outperform k-NN in simulated zero-day experiments.

Paper Nr: 14
Title:

Design of an Example Network Protocol for Security Tests Targeting Industrial Automation Systems

Authors:

Steffen Pfrang, Mark Giraud, Anne Borcherding, David Meier and Jürgen Beyerer

Abstract: Emerging concepts like Industrial Internet of Things (IIOT) and Industrie 4.0 require Industrial Automation and Control Systems (IACS) to be connected via networks and even to the Internet. These connections raise the importance of security for those devices enormously. Security testing for IACS aims at searching for vulnerabilities which can be utilized by attackers from the network. Once discovered, those gaps should be closed with patches before they can get exploited. Different tools utilized for this kind of security testing are dealing with network protocols. In practice, they suffer from peculiarities being present in common industrial automation protocols like OPC UA and Profinet IO. This paper tries to improve the situation by providing an extensive overview of network packet structures and network protocol behavior. Based on this analysis, an example protocol has been developed. The idea behind this artificial network protocol is that tools which are able to handle all the specialties of this protocol, are able to handle every imaginable protocol. Finally, those tools can be used to conduct exhaustive security tests for IACS.