The vast majority of research in computer security is dedicated to the design of detection, protection, and prevention solutions. While these techniques play a critical role to increase the security and privacy of our digital infrastructure, it is enough to look at the news to understand that it is not a matter of "if" a computer system will be compromised, but only a matter of "when". It is a well known fact that there is no 100% secure system, and that there is no practical way to prevent attackers with enough resources from breaking into sensitive targets. Therefore, it is extremely important to develop automated techniques to timely and precisely analyze computer security incidents and compromised systems. Unfortunately, the area of incident response received very little research attention, and it is still largely considered an art more than a science because of its lack of a proper theoretical and scientific background. The objective of BITCRUMBS is to rethink the Incident Response (IR) field from its foundations by proposing a more scientific and comprehensive approach to the analysis of compromised systems. BITCRUMBS will achieve this goal in three steps:
Bitcrumbs is a project funded by a European Research Council (ERC) consolidator grant.
The project started in mid-2018 and ended in the summer of 2023.
Decoding the Secrets of Machine Learning in Malware Classification: A Deep Dive into Datasets, Feature Extraction, and Model PerformanceProceedings of the 30th ACM conference on Computer and communications security (CCS) , Copenaghen
An OS-agnostic Approach to Memory ForensicsNetwork and Distributed System Security (NDSS) Symposium , San Diego (USA)
Humans vs. Machines in Malware Classification32nd USENIX Security Symposium (USENIX Security 23) , Anaheim, CA
An OS-agnostic Approach to Memory ForensicsNetwork and Distributed System Security (NDSS) Symposium , San Diego (USA)
How Machine Learning Is Solving the Binary Function Similarity Problem31st USENIX Security Symposium (USENIX Security 2022)
RE-Mind: a First Look Inside the Mind of a Reverse Engineer31st USENIX Security Symposium (USENIX Security 2022)
In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory ForensicsACM Trans. Priv. Secur. , New York, NY, USA
AutoProfile: Towards Automated Profile Generation for Memory AnalysisACM Transactions on Privacy and Security (TOPS)
A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise EnvironmentsACM Transactions on Privacy and Security (TOPS)
Lost in the Loader: The Many Faces of the Windows PE File FormatSymposium on Research in Attacks, Intrusion, and Defenses (RAID), San SebastianArtifacts: ???
When Malware Changed Its Mind: Characterizing the Variability of Malicious and Unwanted Program Behaviors at Scale29th USENIX Security Symposium (USENIX Security 21) , Boston, MAWinner of the Best Paper Award for 2021 -- CSAW
Does Every Second Count? Time-based Evolution of Malware Behavior in SandboxesNetwork and Distributed System Security (NDSS) Symposium , San Diego (USA)
Pre-processing Memory Dumps to Improve Similarity Score of Windows ModulesComputers \& Security
The evidence beyond the wall: Memory forensics in SGX environmentsForensic Science International: Digital Investigation
The Tangled Genealogy of IoT MalwareAnnual Computer Security Applications Conference (ACSAC) 2020
Prevalence and Impact of Low-Entropy Packing Schemes in the Malware EcosystemNetwork and Distributed System Security (NDSS) Symposium , 2020
When malware is packin' heat; limits of machine learning classifiers based on static analysis featuresNetwork and Distributed System Security (NDSS) Symposium, 2020Artifacts: Dataset
SoK: Cyber Insurance - Technical Challenges and a System Security RoadmapIEEE Symposium on Security & Privacy, San Francisco, CA 2020
Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques28th USENIX Security Symposium (USENIX Security 19) , Santa Clara, CA (acceptance rate: 15.7%)Artifacts: Code
A Close Look at a Daily Dataset of Malware SamplesACM Transactions on Privacy and Security (TOPS)Artifacts: not available as the experiments were performed by CISCO employees by using internal data and tools
Introducing the Temporal Dimension to Memory ForensicsACM Transactions on Privacy and Security (TOPS)Artifacts: Code, Memory Images
Understanding Linux MalwareIEEE Symposium on Security & Privacy , San Francisco, CA (acceptance rate: 11.5%)Artifacts: Free Service, List of Samples