BitCrumbs

 

Towards a Reliable and Automated Analysis of Compromised Systems

The vast majority of research in computer security is dedicated to the design of detection, protection, and prevention solutions. While these techniques play a critical role to increase the security and privacy of our digital infrastructure, it is enough to look at the news to understand that it is not a matter of "if" a computer system will be compromised, but only a matter of "when". It is a well known fact that there is no 100% secure system, and that there is no practical way to prevent attackers with enough resources from breaking into sensitive targets. Therefore, it is extremely important to develop automated techniques to timely and precisely analyze computer security incidents and compromised systems. Unfortunately, the area of incident response received very little research attention, and it is still largely considered an art more than a science because of its lack of a proper theoretical and scientific background. The objective of BITCRUMBS is to rethink the Incident Response (IR) field from its foundations by proposing a more scientific and comprehensive approach to the analysis of compromised systems. BITCRUMBS will achieve this goal in three steps:

  1. by introducing a new systematic approach to precisely measure the effectiveness and accuracy of IR techniques and their resilience to evasion and forgery;
  2. by designing and implementing new automated techniques to cope with advanced threats and the analysis of IoT devices;
  3. by proposing a novel forensics-by-design development methodology and a set of guidelines for the design of future systems and software.
To provide the right context for these new techniques and show the impact of the project in different fields and scenarios, BITCRUMBS plans to address its objectives using real case studies borrowed from two different domains: traditional computer software, and embedded systems.

Bitcrumbs is a project funded by a European Research Council (ERC) consolidator grant.

The project started in mid-2018 and ended in the summer of 2023.


Publications

Decoding the Secrets of Machine Learning in Malware Classification: A Deep Dive into Datasets, Feature Extraction, and Model Performance
Savino Dambra, Yufei Han, Simone Aonzo, Platon Kotzias, Antonino Vitale, Juan Caballero, Davide Balzarotti, Leyla Bilge
Proceedings of the 30th ACM conference on Computer and communications security (CCS) , Copenaghen
Bibtex
An OS-agnostic Approach to Memory Forensics
Andrea Oliveri, Matteo Dell'Amico, Davide Balzarotti
Network and Distributed System Security (NDSS) Symposium , San Diego (USA)
PDF Bibtex
Humans vs. Machines in Malware Classification
Simone Aonzo, Yufei Han, Alessandro Mantovani, Davide Balzarotti
32nd USENIX Security Symposium (USENIX Security 23) , Anaheim, CA
Bibtex
An OS-agnostic Approach to Memory Forensics
Andrea Oliveri, Matteo Dell'Amico, Davide Balzarotti
Network and Distributed System Security (NDSS) Symposium , San Diego (USA)
PDF Bibtex
How Machine Learning Is Solving the Binary Function Similarity Problem
Andrea Marcelli, Mariano Graziano, Xabier Ugarte-Pedrero, Yanick Fratantonio, Mohamad Mansouri, Davide Balzarotti
31st USENIX Security Symposium (USENIX Security 2022)
PDF Bibtex
RE-Mind: a First Look Inside the Mind of a Reverse Engineer
Alessandro Mantovani, Simone Aonzo, Yanick Fratantonio, Davide Balzarotti
31st USENIX Security Symposium (USENIX Security 2022)
PDF Bibtex
In the Land of MMUs: Multiarchitecture OS-Agnostic Virtual Memory Forensics
Andrea Oliveri, Davide Balzarotti
ACM Trans. Priv. Secur. , New York, NY, USA
PDF Bibtex
AutoProfile: Towards Automated Profile Generation for Memory Analysis
Fabio Pagani, Davide Balzarotti
ACM Transactions on Privacy and Security (TOPS)
PDF Bibtex
A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise Environments
Savino Dambra, Leyla Bilge, Davide Balzarotti
ACM Transactions on Privacy and Security (TOPS)
Bibtex
Lost in the Loader: The Many Faces of the Windows PE File Format
Dario Nisi, Mariano Graziano, Yanick Fratantonio, Davide Balzarotti
Symposium on Research in Attacks, Intrusion, and Defenses (RAID), San Sebastian
Bibtex
Artifacts: ???
When Malware Changed Its Mind: Characterizing the Variability of Malicious and Unwanted Program Behaviors at Scale
Erin Avllazagaj, Ziyun Zhu, Leyla Bilge, Davide Balzarotti, Tudor Dumitras
29th USENIX Security Symposium (USENIX Security 21) , Boston, MA
Winner of the Best Paper Award for 2021 -- CSAW
Bibtex
Does Every Second Count? Time-based Evolution of Malware Behavior in Sandboxes
Alexander Kuechler, Alessandro Mantovani, Yufei Han, Leyla Bilge, Davide Balzarotti
Network and Distributed System Security (NDSS) Symposium , San Diego (USA)
PDF Bibtex
Pre-processing Memory Dumps to Improve Similarity Score of Windows Modules
Miguel Martin-Pereand, Ricardo J. Rodriguez, Davide Balzarotti
Computers \& Security
PDF Bibtex
The evidence beyond the wall: Memory forensics in SGX environments
Flavio Toffalini, Andrea Oliveri, Mariano Graziano, Jianying Zhou, Davide Balzarotti
Forensic Science International: Digital Investigation
PDF Bibtex
The Tangled Genealogy of IoT Malware
Emanuele Cozzi, Pierre-Antoine Vervier, Matteo Dell'Amico, Yun Shen, Leyla Bilge, Davide Balzarotti
Annual Computer Security Applications Conference (ACSAC) 2020
PDF Bibtex
Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem
Alessandro Mantovani, Simone Aonzo, Xabier Ugarte-Pedrero, Alessio Merlo, Davide Balzarotti
Network and Distributed System Security (NDSS) Symposium , 2020
PDF Bibtex
Artifacts: Dataset, Code
When malware is packin' heat; limits of machine learning classifiers based on static analysis features
Hojjat Aghakhani, Fabio Gritti, Francesco Mecca, Martina Lindorfer, Stefano Ortolani, Davide Balzarotti, Giovanni Vigna, Christopher Kruegel
Network and Distributed System Security (NDSS) Symposium, 2020
PDF Bibtex
Artifacts: Dataset
SoK: Cyber Insurance - Technical Challenges and a System Security Roadmap
Savino Dambra, Leyla Bilge, Davide Balzarotti
IEEE Symposium on Security & Privacy, San Francisco, CA 2020
PDF Bibtex
Back to the Whiteboard: a Principled Approach for the Assessment and Design of Memory Forensic Techniques
Fabio Pagani, Davide Balzarotti
28th USENIX Security Symposium (USENIX Security 19) , Santa Clara, CA (acceptance rate: 15.7%)
PDF Slides Bibtex
Artifacts: Code
A Close Look at a Daily Dataset of Malware Samples
Xabier Ugarte-Pedrero, Mariano Graziano, Davide Balzarotti
ACM Transactions on Privacy and Security (TOPS)
PDF Bibtex
Artifacts: not available as the experiments were performed by CISCO employees by using internal data and tools
Introducing the Temporal Dimension to Memory Forensics
Pagani, Fabio, Fedorov, Oleksii, Balzarotti, Davide
ACM Transactions on Privacy and Security (TOPS)
PDF Bibtex
Artifacts: Code, Memory Images
Understanding Linux Malware
Emanuele Cozzi, Mariano Graziano, Yanick Fratantonio, Davide Balzarotti
IEEE Symposium on Security & Privacy , San Francisco, CA (acceptance rate: 11.5%)
PDF Slides Bibtex
Artifacts: Free Service, List of Samples