Attacks on computer systems and networks are on rise. Corporation, governments, and industrials are witnessing an augmentation of ransomwares, a threat to their operations and disruption to the services they provide. Risks incurred by individual, small and medium corporations, as well as industrials and government are higher and higher. The cyber security domains are about the three pillars: prevention, detection, and defense (passive and active). The CyS&CIP research center contributes to the international effort to advance research in cyber security and infrastructure protection and train highly qualified resources.

The Vision and ambition of CyS&CIP

• Lead in Cyber Security and Critical Infrastructure Protection in Morocco, Africa and be among the best in the world.

• Position UM6P in in the fields at national and regional levels.

• Advance theoretical and applied research in cyber security and critical infrastructure protection.

• Train highly qualified personnel in this multidisciplinary domain.

• Offer research assistance to stakeholders and industrial partners.

• Foster collaboration between researchers from different institutions, countries, and industrial and government organizations.

• Engage international community to not leave Africa behind in these critical research areas.

The Mission of CyS&CIP:

• Advance theoretical and applied research in cyber security and critical infrastructure protection.

• Explore Interdisciplinary research in cyber security and critical infrastructure protection.

• Develop and promote excellence in the selected areas of research.

• Establish strong collaboration with Academia, Industry, Government, and Corporations.

• Encourage internal and external collaboration.

• Create new synergies among researchers.

• Attract and retain outstanding faculty and graduate students.

• Offer PhD degree and master’s degree programs in interdisciplinary domains.

• Train students in cutting edge technologies.

CyS&CIP is opening a PhD position on Cyber security monitoring and malware detection and prevention

Supervisors: Ismail Berrada, Ahmed Ratnani (UM6P), Amr Youssef, Chadi Assi (Concordia University)

Keywords: Malware analysis, Internet of Things (IoT), Binary analysis, Machine learning, Contrastive Learning, Concept Drift, evolutionary games, false alarms

The analysis of the IoT threat landscape marked by orchestrated cyber attacks on compromised IoT devices has demonstrated the insecurity of these devices at large. In addition, the significant number of vulnerable Internet-connected IoT devices has led to the rise of IoT-tailored malware as a major threat in recent years. In fact, the availability of the malicious source code of the Mirai botnet led to the evolution of new and powerful Mirai-like variants. This rapid evolution of IoT malware is most likely to cause the performance of classifiers to degrade over time, known as concept drift. Hence, it is imperative to mitigate such threats by developing effective tools and techniques for the prompt detection, prevention, and analysis of IoT malware binaries and their evolution. Nevertheless, the peculiarities of IoT malware makes the adoption of such measures quite challenging.

An effective approach to analyzing IoT malware binaries and studying their genealogy requires first the collection of a large and representative dataset of malware samples. For this purpose, IoT-specialized honeypots, such as IoTPOT, as well as popular malware repositories (e.g., VirusTotal, VirusShare) can be leveraged. Unfortunately, the labels assigned to IoT malware samples by these Anti-Virus vendors are often coarse-grained and unable to capture the evolutionary characteristics (e.g., code sharing) of IoT malware. Filling this gap requires proposing a systematic way to compare IoT malware samples and working towards a finer-grained classification that would enable the study of differences among sub-families. Various studies have focused on the clustering of traditional malware to explore their lineage, proving the complexity of these problems when adopted to the peculiarities of IoT malware. Cozzi et al. have resorted to a complex and time-consuming solution based on code-level analysis and function similarity. While the authors provide invaluable insights, the lack of scalable Linux-compatible multi-architecture binary similarity techniques have led them to use off-the-shelf binary diffing tools, which required a substantial amount of manual adjustments and validation (i.e., symbols extraction and propagation), due to the statically-linked nature of IoT malware. Throughout this proposed research project, we plan to adopt a solution using embeddings. The idea is to transform each binary function into a vector of numbers (i.e., an embedding) in such a way that binary code compiled from the same source results in vectors that are similar. A main advantage to this approach is that computing the similarity of multiple embeddings is fast, cheap and can be applied to stripped binaries of multiple architectures. Such embeddings can be computed using the state-of-the-art Transformer architecture which can produce semantic-aware code representation of a binary code.

To automatically detect evolving/drifting IoT variants of the same class, and consequently interpret the meaning behind the drift (e.g., which mutations distinguish one variant from another), we can utilize the power of contrastive learning to learn a good distance function from existing training data, based on existing labels, to distinguish similar samples (i.e., embeddings) from the others. This function is learned by contrasting samples to enlarge the distances between those that have differences, while reducing the distance between samples that are closely similar.

Combatting concept drift requires examining the relationships between the incoming new IoT data and the training data. Indeed, detecting and understanding drifting variants lay the foundation for an interpretable and robust classifier against concept drift and adversarial examples. In addition, the Transformer-based generated function embeddings can be leveraged to study the temporal evolution of a certain function (e.g., scanning function) over time, as well as can pave the way for further interesting applications, such as a semantic-based binary function search engine. Such engine can enable the search for vulnerable functions, and in turn the study of the coordination and competition among botnets, which is still underexplored in literature. A design flaw in Mirai’s random number function generator has allowed Girffioen et al. to obtain insights into Mirai infection strategies worldwide and their continuous fights with competitors. Moreover, function embeddings generated using deep learning techniques can be leveraged to solve the problem of assigning names to functions in stripped binaries, which can be a very useful feature for all those fields where reverse-engineering code plays a crucial role.

In summary, our aim is to understand how classifiers react to changes in the underlying distribution of IoT malware samples over time. In particular, we want to detect and understand evolving IoT malware within the same malware families, by leveraging, e.g., state-of-the-art techniques in NLP and representation learning.

Among the objectives of this thesis is to create a system capable of understanding, detecting and preventing malicious connections using applied concepts of machine learning and also the use of evolutionary games which allows to adapt the strategies of the nodes according to the attacker behavior. also offer an intrusion detection system with the minimum of false alarms.

References

• [1] Antonakakis, Manos, et al. "Understanding the mirai botnet." 26th USENIX security symposium (USENIX Security 17). 2017.

• [2] Pa, Yin Minn Pa, et al. "IoTPOT: Analysing the rise of IoT compromises." 9th USENIX Workshop on Offensive Technologies (WOOT 15). 2015.

• [3] Cozzi, Emanuele, et al. "The tangled genealogy of IoT malware." Annual Computer Security Applications Conference. 2020.

• [4] Chen, Ting, et al. "A simple framework for contrastive learning of visual representations." International conference on machine learning. PMLR, 2020.

• [5] Griffioen, Harm, and Christian Doerr. "Examining mirai's battle over the internet of things." Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 2020.

Requirements

• Master or engineer in computer science or similar discipline

• Background in machine learning and security

• Ability to work in interdisciplinary teams and good communication skills in English

• Vey good experience in python (Pytorch) or matlab