Date: October 18, 11am, GSSI Room B
Speaker: Ricardo J. Rodriguez, University of Zaragoza, Spain
Title: Extracting WinAPI Call Graphs for Inferring Malicious Behaviours
Abstract: The number of incidents related to cyberattacks is increasing rapidly, accordingto numerous numerous software security vendors during last years. In this regard, malicious software specially crafted to proliferate in PC platforms are exponentially growing not only in quantity but also in complexity. For instance, Kaspersky reported a daily analysis of 350000 malware samples in 2013. Many software security vendors offer products to fight against these threats (mainly denoted as anti-virus software) based on signature-based analysis rather than behavioural-based analysis. Thus, a small modification on the malware might provoke a false negative detection and hence, the infection of devices and the benefit for the cybercriminals. In this talk, we present an approach to dynamically extract the malicious behaviour of a program binary, based on extracting the call graphs. In particular, we focus on malware that target Windows platforms. The call graph is useful for clustering samples with similar behaviour and to detect malicious behavioural patterns which may be used to build new defence tools. We will also show the advantages and disadvantages of this approach, as well as the possibilities for collaboration. To illustrate the approach, as case study during the talk we will use the specially crafted malware that target Point-of-Sale systems.
Bio: Ricardo J. Rodríguez received the M.S. and Ph.D. degrees in computer science from the University of Zaragoza, Zaragoza, Spain, in 2010 and 2013, respectively. His Ph.D. dissertation was focused on performance analysis and resource optimization in critical systems, with special interest in Petri net modeling techniques. He was a Visiting Researcher with the School of Computer Science and Informatics, Cardiff University, Cardiff, U.K., in 2011 and 2012, and the School of Innovation, Design and Engineering, Mälardalen University, Västerås, Sweden, in 2014. He is currently an Assistant Professor at University of Zaragoza, Zaragoza, Spain, and a Visiting Professor in the Second University of Naples, Caserta, Italy. His research interests include performability and dependability analysis, program binary analysis, and contactless cards security. More information is available here: http://webdiis.unizar.es/~ricardo/