Ransomware Analysis

ransomware"Crypto-ransomware" is known as the piece of malware that encrypts user's private files and holds them hostage until a payment is made to the hacker. Over the past decade we have witnessed ransomware attack methods advance in techniques and increase in profit. Earlier variants of this malware were more contained, less costly, and easier to detect. Over time capabilities have progressed from just locking a victims' computer screen, to encrypting files, to encrypting the keys that decrypt the files, and so on.

We have proposed a machine learning approach for dynamically analysing and classifying ransomware by monitoring a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our approach works without requiring that an entire ransomware family is available beforehand. A preliminary version of a paper can be found here: arXiv:1609.03020, 2016. Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, Emil C. Lupu. “Automated Analysis of Ransomware: Benefits, Limitations, and use for Detection.”

The slides for the Lecture I gave on Ransomware for the Lorenzo Cavallaro's Course Malicious Software are available here.

You can find here the ransomware dataset we collected and analysed, which includes 582 samples of ransomware and 942 good applications. More info on the dataset can be found here. elderan

Virtualization and Cloud Security

During my PhD I've investigated how virtual machine introspection can enable a secure virtual machine to access the status of a monitored machine to check the kernel integrity and the process self. The process self is computed statically by analyzing the source code, and is defined through a context-free grammar, which defines the system call traces that the process may issue during its execution, and a set of invariants each associated with a program point where the process invokes a call. Further examples I've worked on during my partnership at IBM Zurich are the design and implementation of a mechanism to transparently inject and protect a context-agent into a running virtual machine using introspection. This enables a transparent retrieval of reliable high-level information about the internal operation of the monitored virtual machine while having confidence that the in-guest agent has not been compromised. You can find more info here.

At Imperial College London, after completing a survey on more than 200 papers on virtualization security, I've observed that many publications often rely on implicit, and different, assumptions. Threat models are often presented in different ways making it difficult to evaluate the efficacy of solutions: which threats do they address? and under which assumptions? For this reason, I've been working on a definition of an uniform framework to define the threat models, their protection goals and trusted computing base for proposed solutions. You can find more info here.threat modeling

Mobile Security

malwareDuring my PostDoc at CNR, in Italy, I've worked in a monitoring framework to detect malware that implements a multi-level analysis of the app and system behavior to detect malicious actions. The framework monitors the device actions, its interaction with the user and the running apps, by retrieving several groups of features at different system levels. For some groups of features, the framework applies an anomaly-based approach, for other groups it implements a signature-based approach that considers behavioral patterns derived from known malware misbehaviors. In another approach, I've designed tools for the analysis and classification of malicious Android applications, through pattern recognition on execution graphs. The framework analyzes behaviors at system-call level and exploits the concept of actions to increase the system expressiveness. The framework finds common sub-graphs in malware executions and classifies other apps by searching for common patterns of the previously mined sub-graphs. You can find more info here.

Attack-Graphs and Risk Management

attack graphAttack graphs are used to represent prior knowledge about vulnerabilities and network connectivity and enable system administrators to reason about threats and their risk in a formal way. During my PhD and PostDoc I've worked in collaboration with University of Pisa in a framework to simulate attacks, using a Monte Carlo approach, by generating attack graphs in real-time. This approach enables administrators to focus on the most-effective threats and produce a better selection of countermeasures.

Prospective PhD Students

I am always looking for outstanding PhD students who are passionate about computer security. I am particularly interested in supervising highly-motivated PhD students to work on the following areas:

  • Internet of Things Security
  • Malware Analysis
  • Virtualization Security
  • Trusted Embedded Systems (e.g., TPM and SGX)
  • Mobile Security

The ideal candidate should hold (or expected to achieve) a Master's degree in addition to a Bachelor's degree at UK Upper Second Class Honours Level, in Computer Science or Engineering, and should possess good practical skills (e.g., C, C++, Java, Python). Please note that I'm not supervising part-time students.

Information on how to apply for a research degree are available here. Please also have a look at the PhD entry requirements, available here.

Information about funding at Royal Holloway ISG are available here and here. Some funding are also available through the Royal Holloway Centre for Doctoral Training in Cyber Security, at this link.

In case you wish to contact me about this, please include in your email a research proposal, your curriculum vitae, transcripts, and examples of work that you have done (e.g., conference papers or MSc/BSc thesis).

Available Positions