designing robust software analysis and artificial
play

Designing Robust Software Analysis and Artificial Intelligence - PowerPoint PPT Presentation

Sep 04, 2022 •345 likes •850 views

Designing Robust Software Analysis and Artificial Intelligence Approaches For Cybersecurity Giacomo Iadarola Research fellow (Assegnista di Ricerca) at IIT-CNR PhD student at Department of Computer Science (University of Pisa) TUTOR: Fabio

  1. Designing Robust Software Analysis and Artificial Intelligence Approaches For Cybersecurity Giacomo Iadarola Research fellow (Assegnista di Ricerca) at IIT-CNR PhD student at Department of Computer Science (University of Pisa) TUTOR: Fabio Martinelli (IIT-CNR) Interests: Software Testing and Analysis - Mobile Security Machine Learning - Cryptography (Blockchain) ToDo: Adversarial Learning - Explicable AI

  2. Outline • Introduction • Let’s talk about: ➢ Software Testing and Analysis ➢ Mobile Security • Future Works ➢ Adversarial Learning • Conclusion Pesaresi Seminar – 16th Mar 2020

  3. Software Testing and Analysis

  4. Introduction All software have bugs, we know that… Number of bugs per kLOC: Time to Fix: Between 57.02 bugs/kLOC Between 5 and 340 days and 10.09 bugs/kLOC … and also the smallest vulnerability may trigger a domino effect! ● Aljedaani, Wajdi, and Yasir Javed. "Bug Reports Evolution in Open Source Systems.” ● Xia, Xin, et al. "An empirical study of bugs in software build system."

  5. Goal of GrapPa Design and implement a generic bug finder that uses machine learning to learn from buggy examples • Static analysis ➢ from source code to graph • Train graph-based classifier • Classify graphs of previously unseen code

  6. What is “buggy”? Buggy example Non-Buggy example

  7. What is “buggy”? Buggy example Non-Buggy example

  8. Background • Code Property graph (CPG) ➢ Merges classical graph representation into one data structure • Contextual Graph Markov Model (CGMM) ➢ Neural network approach for processing graph data • Multilayer Perceptron (MLP) ➢ Classical neural network model

  9. Background - CPG Code example

  10. Background - CPG ● Yamaguchi, Fabian, et al. "Modeling and discovering vulnerabilities with code property graphs." (2014).

  11. Background - CGMM An unsupervised model able to encode graphs of varying size and topology to a fixed dimension vector Edges Flow of contextual information State ● Bacciu Davide, Federico Errica, and Alessio Micheli. "Contextual Graph Markov Model: A Deep and Generative Approach to Graph Processing." (2018).

  12. Background - MLP Feedforward artificial neural network. Dropout The dropout layer randomly selects a fraction rate of input neurons that are ignored during training

  13. Methodology Approach steps • Database of source code samples • Static analysis and graph generation • Graph vectorization • Classification

  14. Approach - The Dataset

  15. Approach - The Dataset

  16. Approach - The Dataset List of applied mutations The major mutation framework - documentation. http://mutation-testing.org/

  17. Approach - Generate CPGs

  18. Approach - Graphs vectorization Dataset of a bug pattern TRAINING VECTORIZE Dataset of unclassified graphs

  19. Approach - Classification Approach presented by Gal Y. e Ghahramani Z. to calculate the uncertainty of the model predictions. Output for each sample: Prediction value in range [0,1] ➢ Uncertainty value in range [0,1.8) ➢ ● Gal, Yarin, and Zoubin Ghahramani. "Dropout as a Bayesian approximation: Representing model uncertainty in deep learning." (2016).

  20. Approach - Classification We define uncertainty as: Final step : removing graphs/vector:

  21. Approach - Classification ● Predictions and subset of methods Model trained on a specific bug pattern

  22. Implementation - GrapPa ● Major: ● Soot: ● CGMM tool: ● Weka mutation analyzing Github by ● Keras framework Java Errica F. ● Tensorflow applications (@diningphil)

  23. Results - NPE Example #1 ● Classified by the model as: BUGGY ● Manual check classified as: BUGGY

  24. Results - NPE Example #2 ● Classified by the model as: BUGGY ● Manual check classified as: NON-BUGGY

  25. Results - NPE Example #2 ● Classified by the model as: BUGGY ● Manual check classified as: NON-BUGGY

  26. Take-home points for GrapPa Novel and general approach Use of recent works ➢ Useful for developers in improving code security ➢ Not need prior-knowledge on code (neither on the bug ➢ pattern) The tool GrapPa (https://github.com/Djack1010/GrapPa) Three trained models available ➢ Easy to include more bug patterns ➢ Simplified version of the CPG Three datasets of syntetich bugs available online https://github.com/Djack1010/BUG_DB ➢

  27. Mobile Security

  28. Motivation • Mobile devices handle huge amount of sensitive data ➢ really lucrative and attractive for attackers • Mobile malware abuse of the “weakest link” of security ➢ malware detection techniques to mitigate • Banking malware are critical ➢ significant exposure to every infected device Pesaresi Seminar – 16th Mar 2020

  29. Formal methods in a nutshell ➢ Formal Model & Temporal Logics Calculus of Modal mu-calculus (extended form) Communicating Systems of Milner (CCS) doing_shopping = add_item init ∧ empty_cart ∧ not_empty_cart clear_cart init = init.<start>empty_cart empty_cart not_emtpy_cart add_item empty_cart = empty_cart.<add_item>not_empty_cart start pay not_empty_cart = not_empty_cart.<add_item>not_empty_cart ∨ not_empty_cart.<pay>true Pesaresi Seminar – 16th Mar 2020

  30. The Method ➢ Formal Model & Temporal Logics ● Java Bytecode-to-CCS transformation ● Specify set of properties defined for each instruction describing malware behaviours ➢ ➢ App under analysis Manual inspection and current literature Transformation CCS .class files Function specification Properties Labelled Transition System Pesaresi Seminar – 16th Mar 2020

  31. The Method Pesaresi Seminar – 16th Mar 2020

  32. Features and Pros of the Method ● Use of formal methods ● Inspection directly on Java Bytecode ● Capture of malicious behaviours at finer granularity ● Method independent of source programming language ● Identification payload without decompilation Pesaresi Seminar – 16th Mar 2020

  33. The Experiment on the Overlay family 1. Intercepting SMS messages 2. Stealing money in background 3. Password resetting [1] Wei, Fengguo, et al. "Deep ground truth analysis of current android malware." International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment . Springer, Cham, 2017. [2] Han, Qian, et al. "DBank: Predictive Behavioral Analysis of Recent Android Banking Trojans." IEEE Transactions on Dependable and Secure Computing (2019). [3] Wazid, Mohammad, Sherali Zeadally, and Ashok Kumar Das. "Mobile banking: evolution and threats: malware threats and security solutions." IEEE Consumer Electronics Magazine 8.2 (2019) [4] Pan, Jordan “Fake Bank App Ramps Up Defensive Measures“ Available at: http://tiny.cc/xz209y [Accessed: Oct ‘19] Pesaresi Seminar – 16th Mar 2020

  34. The Experiment on the Overlay family Malicious Behaviour in Java Code Malicious Behaviour in mu-calculus formulae Pesaresi Seminar – 16th Mar 2020

  35. The Experiment on the Overlay family Collecting User Info Malicious Behaviour in Java Code Send Info to attackers Malicious Behaviour in mu-calculus formulae Pesaresi Seminar – 16th Mar 2020

  36. The Experiment on the Overlay family Collecting User Info Malicious Behaviour in Java Code Send Info to attackers Collecting User Info Malicious Behaviour in mu-calculus formulae Send Info to attackers Pesaresi Seminar – 16th Mar 2020

  37. The Dataset + 75 malware Overlay family + 250 malware from Drebin [1] * + 50 trusted samples = 375 real world samples * 25 randomly selected samples from each of the top 10 Drebin Malware Families [1] ARP, Daniel, et al. Drebin: Effective and explainable detection of android malware in your pocket. In: Ndss. 2014. Pesaresi Seminar – 16th Mar 2020

  38. Evaluation Result True Positive False Positive False Negative True Negative 75 0 0 300 Pesaresi Seminar – 16th Mar 2020

  39. Take-home points Short experimental paper: applied known technique[1,2] on a specific malware classification problem ● Methodology: ➢ model checking to detect Overlay malware ● Database: ➢ 350 real world applications ● Experiment result: ➢ achieved precision and recall values equal to 1 [1] Canfora, Gerardo, et al. "Leila: formal tool for identifying mobile malicious behaviour." IEEE Transactions on Software Engineering (2018) [2] Cimitile, Aniello, et al. "Talos: no more ransomware victims with formal methods." International Journal of Information Security 17.6 (2018) Pesaresi Seminar – 16th Mar 2020

  40. Limitations and Future Works ● Extend analysis to more malware (families) ➢ Image classification and Deep Learning ● Take into account obfuscation ➢ Check robustness model ● Using preliminary static analysis to automatize malicious behaviour extraction (GrapPa) Pesaresi Seminar – 16th Mar 2020

Recommend

Designing a robust artificial pancreas using patient data: a computational study Nicola Paoletti

Designing a robust artificial pancreas using patient data: a computational study Nicola Paoletti

Designing a robust artificial pancreas using patient data: a computational study Nicola Paoletti Department of Computer Science, Stony Brook University Joint work with: Shan Lin, Scott Smolka, Kin Sum Liu 1 st Italian American Scientist of Long

501 views • 17 slides
DESIGNING ROBUST SYSTEMS DESIGNING ROBUST SYSTEMS with with UNCERTAIN INFORMATION UNCERTAIN

DESIGNING ROBUST SYSTEMS DESIGNING ROBUST SYSTEMS with with UNCERTAIN INFORMATION UNCERTAIN

DESIGNING ROBUST SYSTEMS DESIGNING ROBUST SYSTEMS with with UNCERTAIN INFORMATION UNCERTAIN INFORMATION Giovanni De Micheli Giovanni De Micheli CSL - CSL - Stanford University Stanford University ASPDAC 2003 The philosophical paradigm

721 views • 46 slides
Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing

Principles of Software Construction: Objects, Design, and Concurrency (Part 2: Designing (Sub-)Systems) More Analysis for Functional Correctness Christian Kstner Bogdan Vasilescu School of Computer Science 15-214 1 Administrativa

1.42k views • 100 slides
Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme

Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme

Robust Analysis using RoMulOC for the Longitudinal Control of a Civil Aircraft Guilherme Chevarria Dimitri Peaucelle Denis Arzelier Guilhem Puyou IEEE-MSC - Yokohama - September 8-10, 2010 Introduction Test robust analysis tools on

232 views • 22 slides
A predictive multi-modal imaging marker for designing efficient and robust AD clinical trials

A predictive multi-modal imaging marker for designing efficient and robust AD clinical trials

A predictive multi-modal imaging marker for designing efficient and robust AD clinical trials Vikas Singh , Ozioma Okonkwo Sterling C. Johnson , Vamsi K. Ithapu Computer Sciences Biostatistics and Medical Informatics

793 views • 54 slides
Traditional Definition of Artificial Intelligence Trends Artificial Intelligence (AI) is

Traditional Definition of Artificial Intelligence Trends Artificial Intelligence (AI) is

Traditional Definition of Artificial Intelligence Trends Artificial Intelligence (AI) is the part of in Artificial Intelligence computer science concerned with designing and Artificial Life intelligent computer systems, that is,

603 views • 13 slides
Where will PyRAF lead us?: The future of data analysis software at STScI Perry Greenfield

Where will PyRAF lead us?: The future of data analysis software at STScI Perry Greenfield

Where will PyRAF lead us?: The future of data analysis software at STScI Perry Greenfield Science Analysis Tools Project Space Telescope Science Institute Baltimore, MD Original Goals A more robust CL for IRAF Primarily to address

454 views • 11 slides
Inheritance Big software n software engineering : The practice of conceptualizing, designing,

Inheritance Big software n software engineering : The practice of conceptualizing, designing,

Inheritance Big software n software engineering : The practice of conceptualizing, designing, developing, documenting, and testing large- scale computer programs. n Large-scale projects face many issues: q getting many programmers to work

586 views • 40 slides
Efficient &amp; Robust LK for Mobile Vision Instructor - Simon Lucey 16-623 - Designing Computer

Efficient &amp; Robust LK for Mobile Vision Instructor - Simon Lucey 16-623 - Designing Computer

Efficient &amp; Robust LK for Mobile Vision Instructor - Simon Lucey 16-623 - Designing Computer Vision Apps Direct Method Indirect Method (ours) (ORB+RANSAC) H. Alismail, B. Browning, S. Lucey Bit-Planes: Dense Subpixel Alignment of

902 views • 67 slides
Robust stability analysis of uncertain Linear Positive Systems via Integral Linear Constraints: L 1

Robust stability analysis of uncertain Linear Positive Systems via Integral Linear Constraints: L 1

Introduction Stability analysis and norm computation Robust stability analysis Examples Conclusion Robust stability analysis of uncertain Linear Positive Systems via Integral Linear Constraints: L 1 and L -gain characterizations Corentin

460 views • 22 slides
Data-Driven Robust Control for a Closed-Loop Artificial Pancreas Nicola Paoletti Department of

Data-Driven Robust Control for a Closed-Loop Artificial Pancreas Nicola Paoletti Department of

Data-Driven Robust Control for a Closed-Loop Artificial Pancreas Nicola Paoletti Department of Computer Science, Stony Brook University, USA Joint work with: Shan Lin, Scott A Smolka, Kin Sum Liu - Supported by NSF CPS Frontier grant

667 views • 9 slides
Hazard Analysis Design Hazard Analysis Design Recognizing the difficulty in designing an

Hazard Analysis Design Hazard Analysis Design Recognizing the difficulty in designing an

Hazard Analysis Design Hazard Analysis Design Recognizing the difficulty in designing an accurate, effective HACCP plan or hazard analysis, outlining a business school approach to the task, and rewarding and cherishing those that have the

414 views • 22 slides
QstatLab: software for statistical process control and robust engineering I.N.Vuchkov Iniversity

QstatLab: software for statistical process control and robust engineering I.N.Vuchkov Iniversity

QstatLab: software for statistical process control and robust engineering I.N.Vuchkov Iniversity of Chemical Technology and Metallurgy 1756 Sofia, Bulgaria qstat@dir.bg Abstract A software for quality improvement is presented. The main

328 views • 5 slides
Robust Location and Scatter Estimators Outline for Multivariate Data Analysis Background

Robust Location and Scatter Estimators Outline for Multivariate Data Analysis Background

Robust Location and Scatter Estimation Robust Location and Scatter Estimation Robust Location and Scatter Estimators Outline for Multivariate Data Analysis Background and Motivation {robustbase}, {rrcov} Computing the Robust

512 views • 16 slides
Measuring the World: Designing Robust Vehicle Localization for Autonomous Driving Frank Schuster,

Measuring the World: Designing Robust Vehicle Localization for Autonomous Driving Frank Schuster,

Measuring the World: Designing Robust Vehicle Localization for Autonomous Driving Frank Schuster, Dr. Martin Haueis Agenda Motivation: Why measure the world for autonomous driving? Map Content: What do we need to know about the world

401 views • 23 slides
Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing

Experimentation in Software Engineering: Theory and Practice Part I Planning and Designing your Experiment Massimiliano Di Penta University of Sannio, Italy Outline Empirical studies in software engineering Different kinds of

1.62k views • 146 slides
How Better Are Predictive Robust Interval . . . Models: Analysis on the Analysis of the Problem

How Better Are Predictive Robust Interval . . . Models: Analysis on the Analysis of the Problem

Predictions Are Important Traditional Statistics . . . Predictive Approach Measurement . . . How Better Are Predictive Robust Interval . . . Models: Analysis on the Analysis of the Problem How Accurate Are . . . Practically Important

368 views • 22 slides
Dissertation Proposal: The Evolution of Robust Software Eric Schulte University of New Mexico

Dissertation Proposal: The Evolution of Robust Software Eric Schulte University of New Mexico

Dissertation Proposal: The Evolution of Robust Software m c h t a b c , a i n ; = a g ! i r ) i a n r ] n ( ( a * [ f v t i t n g ; r b i a a [ i ( r ] f n g * ) n t ( i c r i a a , a

669 views • 49 slides
The Scalable Commutativity Rule: Designing Scalable Software for Multicore Processors Austin T.

The Scalable Commutativity Rule: Designing Scalable Software for Multicore Processors Austin T.

The Scalable Commutativity Rule: Designing Scalable Software for Multicore Processors Austin T. Clements M. Frans Kaashoek Nickolai Zeldovich Robert Morris Eddie Kohler MIT CSAIL and Harvard Current approach to scalable software

1.48k views • 55 slides
Data Quality Assurance 25.06.20 | Software Engineering for Artificial Intelligence | A.

Data Quality Assurance 25.06.20 | Software Engineering for Artificial Intelligence | A.

Data Quality Assurance 25.06.20 | Software Engineering for Artificial Intelligence | A. Alizadeh, T. Ihlefeld | 1 Importance of Data Quality Source: [1] Swartz (2007) 25.06.20 | Software Engineering for Artificial Intelligence | A.

770 views • 29 slides
Artificial Nose Technology: The WI -Nose A Profitability and Market Analysis for the Development

Artificial Nose Technology: The WI -Nose A Profitability and Market Analysis for the Development

Artificial Nose Technology: The WI -Nose A Profitability and Market Analysis for the Development of Artificial Nose Technology to Monitor the Fermentation Process in Wine Shawna M. Linehan Sarosh N. Nizami What is an E-Nose? An artificial

1.36k views • 82 slides
How robust are stratospheric H 2 O and AoA trends derived from different re-analysis products?

How robust are stratospheric H 2 O and AoA trends derived from different re-analysis products?

How robust are stratospheric H 2 O and AoA trends derived from different re-analysis products? Paul Konopka, Felix Ploeger, Bernard Legras, Mengchu Tao, Liuba Poshyvailo, Xiaolu Yan, Jonathon Wright, Rolf M uller and Martin Riese

989 views • 44 slides
Software Engineering for Artificial Intelligence Introduction 21.04.2020 | FB20 | Reactive

Software Engineering for Artificial Intelligence Introduction 21.04.2020 | FB20 | Reactive

Software Engineering for Artificial Intelligence Introduction 21.04.2020 | FB20 | Reactive Programming &amp; Software Technology | 1 Attendance via Zoom Lets try to make this a great experience for all of us: Please check your setup

371 views • 18 slides
Robust indoor loca/on tracking via interval analysis

Robust indoor loca/on tracking via interval analysis

Robust indoor loca/on tracking via interval analysis Mohamed-Hdi AMRI, Yasmina BECIS, Didier AUBRY &amp; Nacim RAMDANI Universit dOrlans,

605 views • 35 slides

More recommend