A growing wave of cyber attacks is threatening our digitally-reliant society. Recognizing the strong prevalence of evasive malware in cyber attacks, within this project we propose to develop tools and techniques for threat intelligence, analysis, and detection that address some of the most challenging endeavors in analyzing modern malware. We will focus on designing malware analysis techniques that are resilient to adversarial manipulations according to three main goals that comprise the development of (1) static analysis techniques to identify behavioral code features among malicious samples that actively try to hide their similarities; (2) robust dynamic analysis techniques for evasive malware; (3) malware mitigation techniques that make use of the results of goals 1-2 in order to provide better resilience against modern, evasive malware.
INNOVATION POTENTIAL:
Cyberthreat intelligence is the main approach proposed by the big market players of cybersecurity services to improve readiness against cyber-attacks. Such companies sell access to intelligence feeds that, however, mainly provide information on "generic" threats, while customers need to integrate threat analysis teams within their Security Operation Centers (SOC) to correctly face APTs that are tailored to the targeted organization.
Manually analyzing an ever-growing number of incoming threats is an activity that requires highly skilled personnel that is both difficult and expensive to hire. SOCs are thus eager to adopt solutions that could support malware analysis and threat intelligence, by reducing the amount of malware that needs to be analyzed manually by human experts.
In this context, the projects main goals all have the potential to improve the state of the art in a number of scenarios:
(1) and (2) Adversarial static/dynamic analysis - Code analysis techniques are today employed in most malware detection appliances and applications. The solutions envisioned by the project could be employed to improve the effectiveness of existing analysis frameworks by allowing them to correctly identify malware that today escapes from detection by adopting advanced obfuscation or evasion strategies.
(3) Malware mitigation techniques - Threat intelligence solutions for attack mitigation represent today a strong market segment in IT security. The project will propose the integration of novel solutions in an open platform that could be adopted by end-users to complement their existing security frameworks. Such integration shall provide new, detailed and accurate, IOCs that will enhance malware detection and mitigation capabilities.
The project aims at providing the aforementioned contributions within a practical solution to help SOC operators quickly detect and respond to advanced threats.
IMPACT:
Scientific Impact
Researchers collaborating in the proposal are among the contributors to the academic international research literature on the topics linked to the project's main goals. As a consequence they will target top-ranked conferences (e.g. ACM CSS, IEEE S&P, USENIX Security, NDSS, POPL, PLDI, OOPSLA, ECOOP) and journals (e.g. IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Information Forensics and Security, ACM Transactions on Privacy and Security, IEEE Transactions on Software Engineering, Elsevier's "Computers and Security") to disseminate the project scientific results.
Social Impact
We are currently growing accustomed to an ¿intrinsically insecure¿ Internet, where threats lurk waiting for the next victim to attack. This is the consequence of the growing asymmetry between cyber criminals and defenders, with the latter struggling to catch-up with continuously improving attacking techniques. Experts believe that this lack of confidence on a more secure cyberspace may push people to build "gated" internets (Center for Long Term Cybersecurity - UC Berkeley). The project may contribute to reducing this asymmetry by putting in the hand of defenders more advanced and robust instruments to detect advanced threats, in order to help protect citizens and businesses.
Economical Impact
As reported in [PON16], the average cost of cyber-crime per company in 2016 was $9.5 million - around 21% net increase from 2015 value. As a direct consequence, large enterprises are investing more money into cybersecurity technologies than ever before. The need for a stronger and more comprehensive security model has become a board-level topic, as the severity of these attacks hits home for businesses and consumers alike. In general, the cybersecurity market is growing at a rate almost five times the general Europe GDP growth. The technology investigated and the innovations proposed by the project are relevant for future products and services belonging to the cybersecurity market. Furthermore, the project's contributions are perfectly aligned with new regulations at the European level about cyber security, that force companies, and critical infrastructures in particular, to implement adequate monitoring and mitigation strategies for cyber threats.
Technological Impact
The consortium plans to release the main technical results of this research as open source in order to foster its adoption within other frameworks/systems for threat intelligence. This approach will increase the impact of the proposed solutions by allowing them to be used to improve other existing platforms already integrated within real-world analysis systems.
REFERENCES:
[PON16] 2016 Cost of Cyber Crime Study & the Risk of Business Innovation. Ponemon Research Institute, 2016