SlideShare a Scribd company logo

System Security @ NECSTLab

NECST Lab @ Politecnico di Milano, profile picture
NECST Lab @ Politecnico di Milano

The document presents an overview of research activities in system security at NECSTLab led by Marcello Pogliani, highlighting projects in malware analysis, fraud detection, mobile security, and cyber-physical systems. It details specific research lines such as threat analysis, ransomware mitigation, and the methodologies used for fraud detection in banking via machine learning. Additionally, the document outlines the team structure, educational activities, and some challenges faced in the field of cybersecurity.

Engineering
1 of 49
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
NGC 2018Systems Security @ NECSTLab Marcello Pogliani System Security @ NECSTLab Marcello Pogliani marcello.pogliani@polimi.it Microsoft, Mountain View May 31st , 2018
NGC 2018Systems Security @ NECSTLab Marcello Pogliani The System Security Group @ NECSTLab 1 Associate Professor (Stefano Zanero) ~ 3 Postdoctoral Researchers ~ 3 PhD Students 15+ Master’s Students
NGC 2018Systems Security @ NECSTLab Marcello Pogliani What (else) we do, besides research Hacking Activities (aka CTF) ● Tower of Hanoi ~> http://toh.necst.it/ ● mHACKeroni ~> http://mhackeroni.it ○ 2nd @ DEF CON Quals 2018!
NGC 2018Systems Security @ NECSTLab Marcello Pogliani System Security Emphasis on real systems Focus on data and machine learning Tools (or concepts) to aid the analyst or the user
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Research Lines Malware and Threat Analysis Frauds Analysis and Detection Mobile Security Security of Cyber-physical systems
Malware and Threat Analysis
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Prometheus extract robusts signatures from WebInject-based trojans Malware and Threat Analysis MaTa Analysis Defense/Protection Specific Threats ShieldFS defense against ransomware Arancino resilient defending Intel Pin against anti-instrumentation attacks Jackdaw simpler automatic extraction and tagging of common malware behavior
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Sample Project ShieldFS MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani 2016-17 the "years of extortion" MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Ransomware vs. Benign Apps Storage Driver File System IRPLogger I/O Manager Kernel mode User mode Benign Ransomware? ? ? Disk drive MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Ransomware vs. Benign Apps (1) #Folder-listing (2) #Files-Read (3) #Files-Written (4) #Files-Renamed (5) File type coverage (6) Write Entropy MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Detection Models Disk drive Process #1 Process #n Process-centric Models System-centric Model MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Protection: File Recovery Workflow Monitor & COW on first write Unknown ShieldFS DetectorMalicious Restore original copies Benign Clean old copies Start MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Detection & Recovery Capabilities ● 1483 unseen samples ○ Locky, TeslaCrypt, CryptoLocker, Critroni, TorrentLocker, CryptoWall, Troldesh, CryptoDefense, PayCrypt, DirtyDecrypt, ZeroLocker, Cerber, WannaCry ● Files protected: always 100% ○ Even in case of missed detection ● Detection rate: 1436/1483, 96.9% MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani What’s Next Limitations of Software-based Detectors Kernel Hardware Detector OS App MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani ● Passive undetectable analysis ● Live memory forensics Live Memory Forensics PCIe USB Target/Protected Machine (Win 8.1) Physical Memory Reader Malware Detector USB3380 MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Live Memory Forensics Semantic Gap ● Filling the semantic gap ○ Parse OS data structure 4cf8eafbfa631312 10e669b3e98b67f6 82097ae3fe87145c 8c2fd30bf67781d7 b7bade6b459548f0 2828d603887a888a 04551826d4b467dc bd2aa3a9904e087a 615e9b3d4ab9f7a8 f7e89d698b23a268 Semantic Reconstruction Raw memory Data Structures MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Preliminary Results Dataset: 2050 samples: ● Arancino dataset ~> 500 samples ● Quincy dataset ~> 73 samples ● VirusTotal ~> 1477 samples MaTa
Fraud Analysis and Detection
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Machine learning for security Historical transaction data ~> model user behavior Detect frauds as anomalies Fraud Analysis and Detection FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Sample Project Banksealer FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Internet Banking Fraud Detection Challenges Difficult to analyze and detect ● Rare and dispersed ~> highly imbalanced dataset ● User behavior dynamic and varying over time Available information and data is scarce Existing approach are limited ● Black-box ● Based on synthetic data FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Dataset Analysis Skewed and unbalanced distribution Number of transactions per user Undertraining Amount FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Legit Transaction vs Frauds Frauds rare and hidden in the user’s behavior Frauds Transactions FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Dataset Analysis Amount Distribution Legitimate Fraud FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Local Profile (for each user) Global Profile Temporal Profile (for each user) Threefold Approach: Different Granularities FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Local Profile (for each user) Global Profile Temporal Profile (for each user) FraudSec Local Profile characterizes each user’s individual spending pattern to evaluate the anomaly of each new transaction
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Global Profile Temporal Profile (for each user) Local Profile (for each user) FraudSec Global Profile characterizes “classes” of spending patterns and mitigate the undertraining problem
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Temporal Profile (for each user) Local Profile (for each user) Global Profile FraudSec Temporal Profile deals with frauds that exploit the repetition of legitimate-looking transactions over time
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach FraudSec
NGC 2018Systems Security @ NECSTLab Marcello Pogliani FraudSec
Mobile Security
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Heldroid Mobile ransomware analysis Andrototal Service to analyze suspicious apps w/ multiple mobile AVs Mobile Security Mobile Malware Analysis Platform Security Grab ‘n Run Secure dynamic code loading OpenST Linux/ARM syscall tracer MoSec
Cyber-Physical Systems
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Example project: DoS attack that exploits weaknesses in the CANbus link layer. Cyber-Physical Systems Security Automotive Industrial Controls & Robots Example project: a security analysis of modern industrial robot controllers CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani (Industrial) CPS Research What risks and vulnerabilities? What real-world threats? How to detect attacks and improve security? CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Sample Project Robosec CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Motivation: Industry 4.0 Trends Interconnecte d Flexibly programmable Remotely exposed CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Robosec in a nutshell Model for a remote attacker (Industry 4.0 context) Attack Surface Analysis Discovered generic attack “templates” Implemented all this with a case study (ABB IRC5) CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Threat Scenarios 1) Production Plant Halting 2) Production Outcome Alteration 3) Physical Damage 4) Unauthorized Access 5) Ransom requests to disclose micro defects CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Example attack: Control Loop Alteration ! CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Attack POCs 1) Accuracy Violation: PID parameters detuning (Attack 1) 2) Safety Violation: User-Perceived Robot State Alteration (Attack 4) 3) Integrity Violation: Control-loop alteration (Attack 1) CyPhy
System Security @ NECSTLab
NGC 2018Systems Security @ NECSTLab Marcello Pogliani What’s Next Analysis generalize to multiple controllers attack surface: not only network (physical, programming languages) Defense Attack countermeasures (e.g., HRI) Programming languages CyPhy
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Thanks! Marcello Pogliani marcello.pogliani@polimi.it @mapogli
NGC 2018Systems Security @ NECSTLab Marcello Pogliani Malware Analysis: Results A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. Barenghi, S. Zanero, F. Maggi ShieldFS: a self-healing, ransomware-aware filesystem ACSAC 2017, https://conand.me/publications/continella-shieldfs-2016.pdf - http://shieldfs.necst.it M. Polino, A. Scorti, F. Maggi, S. Zanero Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries DIMVA 2015, https://jinblack.it/static/files/jackdaw.pdf M. Polino, A. Continella, S. Mariani, S. D’Alessio, L. Fontana, F. Gritti, S. Zanero Measuring and Defeating Anti-Instrumentation-Equipped Malware DIMVA 2017, https://jinblack.it/static/files/arancino.pdf - code + dataset: http://arancino.necst.it MaTa
NGC 2018Systems Security @ NECSTLab Marcello Pogliani M. Carminati, R. Caron, I. Epifani, F. Maggi, S. Zanero BankSealer: An Online Banking Fraud Analysis and Decision Support System IFIP SEC 2014, http://www.syssec-project.eu/m/page-media/3/carminati_sec14_bankSealer.pdf M. Carminati, M. Polino, A. Continella, A. Lanzi, F. Maggi, S. Zanero Security Evaluation of a Banking Fraud Analysis System ACM Transactions on Privacy and Security (TOPS), 2018 https://conand.me/publications/carminati-bankingfraud-2018.pdf Banksealer: Results FraudSec M. Carminati, A. Baggio, F. Maggi, U. Spagnolini, S. Zanero FraudBuster: Temporal Analysis and Detection of Advanced Financial Frauds DIMVA 2018 (June 2018)
NGC 2018Systems Security @ NECSTLab Marcello Pogliani A. Palanca, E. Evenchick, F. Maggi, S. Zanero A stealth, selective, link-layer denial-of-service attack against automotive networks DIMVA 2017, https://link.springer.com/chapter/10.1007/978-3-319-60876-1_9 Cyber-Physical Systems: Results D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. M. Zanchettin, S. Zanero An Experimental Security Analysis of an Industrial Robot Controller IEEE Security & Privacy 2017, http://robosec.org/downloads/paper-robosec-sp-2017.pdf http://robosec.org

More Related Content

PDF
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
PDF
CTI ANT: Hunting for Chinese Threat Intelligence
JacklynTsai
 
PDF
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
PDF
A Comparison Study of Open Source Penetration Testing Tools
ijtsrd
 
PDF
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
PDF
SPR@I Year in Review
Adam Bates
 
PPTX
Visibility on the network a tactical cti-based approach
Alfredo Hickman
 
PDF
Toward Hardware-based Malware Detection through Memory Forensics
NECST Lab @ Politecnico di Milano
 
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
CTI ANT: Hunting for Chinese Threat Intelligence
JacklynTsai
 
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
A Comparison Study of Open Source Penetration Testing Tools
ijtsrd
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
 
SPR@I Year in Review
Adam Bates
 
Visibility on the network a tactical cti-based approach
Alfredo Hickman
 
Toward Hardware-based Malware Detection through Memory Forensics
NECST Lab @ Politecnico di Milano
 

What's hot (20)

PDF
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
PDF
Anti evasion and evader - klaus majewski
Stonesoft
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
PPTX
Threat hunting in cyber world
Akash Sarode
 
PDF
steganography using visual cryptography_report
Saurabh Nambiar
 
PDF
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
PDF
Coursera Cybersecurity 2015
Ricardo Gutiérrez
 
PDF
IRJET-Design and Fabrication of Automatic Plastic Cup Thermoforming Machine
IRJET Journal
 
PDF
Coursera Cybersecurity 2015
Arpit Singh
 
PPTX
To use the concept of Data Mining and machine learning concept for Cyber secu...
Nishant Mehta
 
PPTX
Evading & Bypassing Anti-Malware applications using metasploit
n|u - The Open Security Community
 
PDF
Linkedin
Khaled Serag
 
PDF
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE - ATT&CKcon
 
PDF
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
IJNSA Journal
 
DOC
Multimedia
ambitlick
 
PDF
IOCs Are Dead—Long Live IOCs!
Priyanka Aash
 
PDF
Reducing cyber risks in the era of digital transformation
Sergey Soldatov
 
PDF
Baythreat Cryptolocker Presentation
OpenDNS
 
PDF
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
Dreaming of IoCs Adding Time Context to Threat Intelligence
Priyanka Aash
 
Anti evasion and evader - klaus majewski
Stonesoft
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Threat hunting in cyber world
Akash Sarode
 
steganography using visual cryptography_report
Saurabh Nambiar
 
MITRE ATT&CKcon 2.0: The World's Most Dangerous ATT&CKers; Robert Lipovsky, ESET
MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
Coursera Cybersecurity 2015
Ricardo Gutiérrez
 
IRJET-Design and Fabrication of Automatic Plastic Cup Thermoforming Machine
IRJET Journal
 
Coursera Cybersecurity 2015
Arpit Singh
 
To use the concept of Data Mining and machine learning concept for Cyber secu...
Nishant Mehta
 
Evading & Bypassing Anti-Malware applications using metasploit
n|u - The Open Security Community
 
Linkedin
Khaled Serag
 
MITRE ATT&CKcon 2018: Decision Analysis Applications in Threat Analysis Frame...
MITRE - ATT&CKcon
 
ANALYSIS OF THE SECURITY OF BB84 BY MODEL CHECKING
IJNSA Journal
 
Multimedia
ambitlick
 
IOCs Are Dead—Long Live IOCs!
Priyanka Aash
 
Reducing cyber risks in the era of digital transformation
Sergey Soldatov
 
Baythreat Cryptolocker Presentation
OpenDNS
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
Ad

Similar to System Security @ NECSTLab (20)

PDF
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
NECST Lab @ Politecnico di Milano
 
PDF
Analyzing and Defending from Modern Internet Threats
NECST Lab @ Politecnico di Milano
 
PDF
Ch14 security
Welly Dian Astika
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PDF
[Hitcon 2019] Some things about recent Internet IoT/ICS attacks - a perspecti...
Canaan Kao
 
PDF
Automated defense from rootkit attacks
UltraUploader
 
PDF
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
PDF
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Dragos, Inc.
 
PPT
operating system Security presentation vol 2
qacaybagirovv
 
PDF
ICS Threat Scenarios
Luigi Auriemma
 
PPTX
Security research over Windows #defcon china
Peter Hlavaty
 
PDF
Vulnerability Assessment Report
Harshit Singh Bhatia
 
PPTX
Csa summit seguridad en el sddc
CSA Argentina
 
PDF
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
PDF
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
PROFIBUS and PROFINET InternationaI - PI UK
 
PDF
Ochrana pred modernými malware útokmi
MarketingArrowECS_CZ
 
PDF
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
PPTX
Safe and secure autonomous systems
Alan Tatourian
 
PPTX
Tyepes of operating Module 4 chapter .pptx
SHUBHAMDOUND
 
PPT
13517398.ppt
HaipengCai1
 
System Security @ NECSTLab and Breaking the Laws of Robotics: Attacking Indus...
NECST Lab @ Politecnico di Milano
 
Analyzing and Defending from Modern Internet Threats
NECST Lab @ Politecnico di Milano
 
Ch14 security
Welly Dian Astika
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
[Hitcon 2019] Some things about recent Internet IoT/ICS attacks - a perspecti...
Canaan Kao
 
Automated defense from rootkit attacks
UltraUploader
 
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Dragos, Inc.
 
operating system Security presentation vol 2
qacaybagirovv
 
ICS Threat Scenarios
Luigi Auriemma
 
Security research over Windows #defcon china
Peter Hlavaty
 
Vulnerability Assessment Report
Harshit Singh Bhatia
 
Csa summit seguridad en el sddc
CSA Argentina
 
Mission Critical Security in a Post-Stuxnet World Part 1
Byres Security Inc.
 
6. Cybersecurity for Industrial Ethernet - Dr Paul Comerford
PROFIBUS and PROFINET InternationaI - PI UK
 
Ochrana pred modernými malware útokmi
MarketingArrowECS_CZ
 
Deja vu security Adam Cecchetti - Security is a Snapshot in Time BSidesPDX ...
adamdeja
 
Safe and secure autonomous systems
Alan Tatourian
 
Tyepes of operating Module 4 chapter .pptx
SHUBHAMDOUND
 
13517398.ppt
HaipengCai1
 
Ad

More from NECST Lab @ Politecnico di Milano (20)

PDF
Mesticheria Team - WiiReflex
NECST Lab @ Politecnico di Milano
 
PPTX
Punto e virgola Team - Stressometro
NECST Lab @ Politecnico di Milano
 
PDF
BitIt Team - Stay.straight
NECST Lab @ Politecnico di Milano
 
PDF
BabYodini Team - Talking Gloves
NECST Lab @ Politecnico di Milano
 
PDF
printf("Nome Squadra"); Team - NeoTon
NECST Lab @ Politecnico di Milano
 
PPTX
BlackBoard Team - Motion Tracking Platform
NECST Lab @ Politecnico di Milano
 
PDF
#include<brain.h> Team - HomeBeatHome
NECST Lab @ Politecnico di Milano
 
PDF
Flipflops Team - Wave U
NECST Lab @ Politecnico di Milano
 
PDF
Bug(atta) Team - Little Brother
NECST Lab @ Politecnico di Milano
 
PDF
#NECSTCamp: come partecipare
NECST Lab @ Politecnico di Milano
 
PDF
NECSTCamp101@2020.10.1
NECST Lab @ Politecnico di Milano
 
PDF
NECSTLab101 2020.2021
NECST Lab @ Politecnico di Milano
 
PDF
TreeHouse, nourish your community
NECST Lab @ Politecnico di Milano
 
PDF
TiReX: Tiled Regular eXpressionsmatching architecture
NECST Lab @ Politecnico di Milano
 
PDF
Embedding based knowledge graph link prediction for drug repurposing
NECST Lab @ Politecnico di Milano
 
PDF
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
NECST Lab @ Politecnico di Milano
 
PDF
EMPhASIS - An EMbedded Public Attention Stress Identification System
NECST Lab @ Politecnico di Milano
 
PDF
Luns - Automatic lungs segmentation through neural network
NECST Lab @ Politecnico di Milano
 
PDF
BlastFunction: How to combine Serverless and FPGAs
NECST Lab @ Politecnico di Milano
 
PDF
Maeve - Fast genome analysis leveraging exact string matching
NECST Lab @ Politecnico di Milano
 
Mesticheria Team - WiiReflex
NECST Lab @ Politecnico di Milano
 
Punto e virgola Team - Stressometro
NECST Lab @ Politecnico di Milano
 
BitIt Team - Stay.straight
NECST Lab @ Politecnico di Milano
 
BabYodini Team - Talking Gloves
NECST Lab @ Politecnico di Milano
 
printf("Nome Squadra"); Team - NeoTon
NECST Lab @ Politecnico di Milano
 
BlackBoard Team - Motion Tracking Platform
NECST Lab @ Politecnico di Milano
 
#include<brain.h> Team - HomeBeatHome
NECST Lab @ Politecnico di Milano
 
Flipflops Team - Wave U
NECST Lab @ Politecnico di Milano
 
Bug(atta) Team - Little Brother
NECST Lab @ Politecnico di Milano
 
#NECSTCamp: come partecipare
NECST Lab @ Politecnico di Milano
 
NECSTCamp101@2020.10.1
NECST Lab @ Politecnico di Milano
 
NECSTLab101 2020.2021
NECST Lab @ Politecnico di Milano
 
TreeHouse, nourish your community
NECST Lab @ Politecnico di Milano
 
TiReX: Tiled Regular eXpressionsmatching architecture
NECST Lab @ Politecnico di Milano
 
Embedding based knowledge graph link prediction for drug repurposing
NECST Lab @ Politecnico di Milano
 
PLASTER - PYNQ-based abandoned object detection using a map-reduce approach o...
NECST Lab @ Politecnico di Milano
 
EMPhASIS - An EMbedded Public Attention Stress Identification System
NECST Lab @ Politecnico di Milano
 
Luns - Automatic lungs segmentation through neural network
NECST Lab @ Politecnico di Milano
 
BlastFunction: How to combine Serverless and FPGAs
NECST Lab @ Politecnico di Milano
 
Maeve - Fast genome analysis leveraging exact string matching
NECST Lab @ Politecnico di Milano
 

Recently uploaded (20)

PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
Artificial Intelligence
dikshendrasarpate2
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPT
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
web development for engineering and engineering
keshriji700
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PDF
composite construction of structures.pdf
AinieButt1
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPT on Performance Review to get promotions
prashant593122
 
Construction Project Organization Group 2.pptx
vj5agdales
 
Artificial Intelligence
dikshendrasarpate2
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
Project quality management in manufacturing
BarMusaTetik
 
Introduction, IoT Design Methodology, Case Study on IoT System for Weather Mo...
MariaRufina4
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
web development for engineering and engineering
keshriji700
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
composite construction of structures.pdf
AinieButt1
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 

System Security @ NECSTLab

  • 1. NGC 2018Systems Security @ NECSTLab Marcello Pogliani System Security @ NECSTLab Marcello Pogliani marcello.pogliani@polimi.it Microsoft, Mountain View May 31st , 2018
  • 2. NGC 2018Systems Security @ NECSTLab Marcello Pogliani The System Security Group @ NECSTLab 1 Associate Professor (Stefano Zanero) ~ 3 Postdoctoral Researchers ~ 3 PhD Students 15+ Master’s Students
  • 3. NGC 2018Systems Security @ NECSTLab Marcello Pogliani What (else) we do, besides research Hacking Activities (aka CTF) ● Tower of Hanoi ~> http://toh.necst.it/ ● mHACKeroni ~> http://mhackeroni.it ○ 2nd @ DEF CON Quals 2018!
  • 4. NGC 2018Systems Security @ NECSTLab Marcello Pogliani System Security Emphasis on real systems Focus on data and machine learning Tools (or concepts) to aid the analyst or the user
  • 5. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Research Lines Malware and Threat Analysis Frauds Analysis and Detection Mobile Security Security of Cyber-physical systems
  • 7. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Prometheus extract robusts signatures from WebInject-based trojans Malware and Threat Analysis MaTa Analysis Defense/Protection Specific Threats ShieldFS defense against ransomware Arancino resilient defending Intel Pin against anti-instrumentation attacks Jackdaw simpler automatic extraction and tagging of common malware behavior
  • 8. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Sample Project ShieldFS MaTa
  • 9. NGC 2018Systems Security @ NECSTLab Marcello Pogliani 2016-17 the "years of extortion" MaTa
  • 10. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Ransomware vs. Benign Apps Storage Driver File System IRPLogger I/O Manager Kernel mode User mode Benign Ransomware? ? ? Disk drive MaTa
  • 11. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Ransomware vs. Benign Apps (1) #Folder-listing (2) #Files-Read (3) #Files-Written (4) #Files-Renamed (5) File type coverage (6) Write Entropy MaTa
  • 12. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Detection Models Disk drive Process #1 Process #n Process-centric Models System-centric Model MaTa
  • 13. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Protection: File Recovery Workflow Monitor & COW on first write Unknown ShieldFS DetectorMalicious Restore original copies Benign Clean old copies Start MaTa
  • 14. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Detection & Recovery Capabilities ● 1483 unseen samples ○ Locky, TeslaCrypt, CryptoLocker, Critroni, TorrentLocker, CryptoWall, Troldesh, CryptoDefense, PayCrypt, DirtyDecrypt, ZeroLocker, Cerber, WannaCry ● Files protected: always 100% ○ Even in case of missed detection ● Detection rate: 1436/1483, 96.9% MaTa
  • 15. NGC 2018Systems Security @ NECSTLab Marcello Pogliani What’s Next Limitations of Software-based Detectors Kernel Hardware Detector OS App MaTa
  • 16. NGC 2018Systems Security @ NECSTLab Marcello Pogliani ● Passive undetectable analysis ● Live memory forensics Live Memory Forensics PCIe USB Target/Protected Machine (Win 8.1) Physical Memory Reader Malware Detector USB3380 MaTa
  • 17. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Live Memory Forensics Semantic Gap ● Filling the semantic gap ○ Parse OS data structure 4cf8eafbfa631312 10e669b3e98b67f6 82097ae3fe87145c 8c2fd30bf67781d7 b7bade6b459548f0 2828d603887a888a 04551826d4b467dc bd2aa3a9904e087a 615e9b3d4ab9f7a8 f7e89d698b23a268 Semantic Reconstruction Raw memory Data Structures MaTa
  • 18. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Preliminary Results Dataset: 2050 samples: ● Arancino dataset ~> 500 samples ● Quincy dataset ~> 73 samples ● VirusTotal ~> 1477 samples MaTa
  • 19. Fraud Analysis and Detection
  • 20. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Machine learning for security Historical transaction data ~> model user behavior Detect frauds as anomalies Fraud Analysis and Detection FraudSec
  • 21. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Sample Project Banksealer FraudSec
  • 22. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Internet Banking Fraud Detection Challenges Difficult to analyze and detect ● Rare and dispersed ~> highly imbalanced dataset ● User behavior dynamic and varying over time Available information and data is scarce Existing approach are limited ● Black-box ● Based on synthetic data FraudSec
  • 23. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Dataset Analysis Skewed and unbalanced distribution Number of transactions per user Undertraining Amount FraudSec
  • 24. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Legit Transaction vs Frauds Frauds rare and hidden in the user’s behavior Frauds Transactions FraudSec
  • 25. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Dataset Analysis Amount Distribution Legitimate Fraud FraudSec
  • 26. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Local Profile (for each user) Global Profile Temporal Profile (for each user) Threefold Approach: Different Granularities FraudSec
  • 27. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Local Profile (for each user) Global Profile Temporal Profile (for each user) FraudSec Local Profile characterizes each user’s individual spending pattern to evaluate the anomaly of each new transaction
  • 28. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Global Profile Temporal Profile (for each user) Local Profile (for each user) FraudSec Global Profile characterizes “classes” of spending patterns and mitigate the undertraining problem
  • 29. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach Temporal Profile (for each user) Local Profile (for each user) Global Profile FraudSec Temporal Profile deals with frauds that exploit the repetition of legitimate-looking transactions over time
  • 30. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Banksealer: Approach FraudSec
  • 31. NGC 2018Systems Security @ NECSTLab Marcello Pogliani FraudSec
  • 33. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Heldroid Mobile ransomware analysis Andrototal Service to analyze suspicious apps w/ multiple mobile AVs Mobile Security Mobile Malware Analysis Platform Security Grab ‘n Run Secure dynamic code loading OpenST Linux/ARM syscall tracer MoSec
  • 35. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Example project: DoS attack that exploits weaknesses in the CANbus link layer. Cyber-Physical Systems Security Automotive Industrial Controls & Robots Example project: a security analysis of modern industrial robot controllers CyPhy
  • 36. NGC 2018Systems Security @ NECSTLab Marcello Pogliani (Industrial) CPS Research What risks and vulnerabilities? What real-world threats? How to detect attacks and improve security? CyPhy
  • 37. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Sample Project Robosec CyPhy
  • 38. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Motivation: Industry 4.0 Trends Interconnecte d Flexibly programmable Remotely exposed CyPhy
  • 39. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Robosec in a nutshell Model for a remote attacker (Industry 4.0 context) Attack Surface Analysis Discovered generic attack “templates” Implemented all this with a case study (ABB IRC5) CyPhy
  • 40. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Threat Scenarios 1) Production Plant Halting 2) Production Outcome Alteration 3) Physical Damage 4) Unauthorized Access 5) Ransom requests to disclose micro defects CyPhy
  • 41. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Example attack: Control Loop Alteration ! CyPhy
  • 42. NGC 2018Systems Security @ NECSTLab Marcello Pogliani
  • 43. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Attack POCs 1) Accuracy Violation: PID parameters detuning (Attack 1) 2) Safety Violation: User-Perceived Robot State Alteration (Attack 4) 3) Integrity Violation: Control-loop alteration (Attack 1) CyPhy
  • 45. NGC 2018Systems Security @ NECSTLab Marcello Pogliani What’s Next Analysis generalize to multiple controllers attack surface: not only network (physical, programming languages) Defense Attack countermeasures (e.g., HRI) Programming languages CyPhy
  • 46. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Thanks! Marcello Pogliani marcello.pogliani@polimi.it @mapogli
  • 47. NGC 2018Systems Security @ NECSTLab Marcello Pogliani Malware Analysis: Results A. Continella, A. Guagnelli, G. Zingaro, G. De Pasquale, A. Barenghi, S. Zanero, F. Maggi ShieldFS: a self-healing, ransomware-aware filesystem ACSAC 2017, https://conand.me/publications/continella-shieldfs-2016.pdf - http://shieldfs.necst.it M. Polino, A. Scorti, F. Maggi, S. Zanero Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries DIMVA 2015, https://jinblack.it/static/files/jackdaw.pdf M. Polino, A. Continella, S. Mariani, S. D’Alessio, L. Fontana, F. Gritti, S. Zanero Measuring and Defeating Anti-Instrumentation-Equipped Malware DIMVA 2017, https://jinblack.it/static/files/arancino.pdf - code + dataset: http://arancino.necst.it MaTa
  • 48. NGC 2018Systems Security @ NECSTLab Marcello Pogliani M. Carminati, R. Caron, I. Epifani, F. Maggi, S. Zanero BankSealer: An Online Banking Fraud Analysis and Decision Support System IFIP SEC 2014, http://www.syssec-project.eu/m/page-media/3/carminati_sec14_bankSealer.pdf M. Carminati, M. Polino, A. Continella, A. Lanzi, F. Maggi, S. Zanero Security Evaluation of a Banking Fraud Analysis System ACM Transactions on Privacy and Security (TOPS), 2018 https://conand.me/publications/carminati-bankingfraud-2018.pdf Banksealer: Results FraudSec M. Carminati, A. Baggio, F. Maggi, U. Spagnolini, S. Zanero FraudBuster: Temporal Analysis and Detection of Advanced Financial Frauds DIMVA 2018 (June 2018)
  • 49. NGC 2018Systems Security @ NECSTLab Marcello Pogliani A. Palanca, E. Evenchick, F. Maggi, S. Zanero A stealth, selective, link-layer denial-of-service attack against automotive networks DIMVA 2017, https://link.springer.com/chapter/10.1007/978-3-319-60876-1_9 Cyber-Physical Systems: Results D. Quarta, M. Pogliani, M. Polino, F. Maggi, A. M. Zanchettin, S. Zanero An Experimental Security Analysis of an Industrial Robot Controller IEEE Security & Privacy 2017, http://robosec.org/downloads/paper-robosec-sp-2017.pdf http://robosec.org