BEGIN:VCALENDAR VERSION:2.0 PRODID:-//Talks.cam//talks.cam.ac.uk// X-WR-CALNAME:Talks.cam BEGIN:VEVENT SUMMARY:Analysis and Classification of Android Malware - Lorenzo Cavallaro \, Information Security Group (ISG)\, Royal Holloway\, University of Londo n DTSTART:20171010T130000Z DTEND:20171010T140000Z UID:TALK72862@talks.cam.ac.uk CONTACT:Alexander Vetterl DESCRIPTION:Mobile devices and their application marketplaces drive the en tire economy of today's mobile landscape. Android platforms alone have pro duced staggering revenues\, exceeding five billion USD\, which has attract ed cybercriminals and increased malware in Android markets at an alarming rate. To better understand this slew of threats\, in this talk I first int roduce CopperDroid\, an automatic VMI based dynamic analysis system to rec onstruct the behaviors of Android malware\, developed within the Systems S ecurity Research Lab at Royal Holloway\, University of London. \n\nThe nov elty of CopperDroid lies in its agnostic approach to identify interesting OS- and high-level Android-specific behaviors often expressed through comp lex inter-component interactions involving Android objects. CopperDroid's analysis generates detailed behavioral profiles that abstract a large stre am of low-level-often uninteresting-events into concise\, high-level seman tics\, which is well-suited to provide insightful behavioral traits and op en the possibility to further research directions. \n\nTo this end\, I the n show our research efforts to investigate the efficacy of behavioral prof iles of different abstractions to differentiate between families of Androi d malware. In addition\, in a significant departure from traditional class ification techniques\, we further apply a statistical classification appro ach to include samples showing poor behavior counts and depict a means to achieve near-perfect accuracy by considering a prediction set of top few m atches than a singular choice. Despite the promising results\, malware evo lves rapidly and it thus becomes hard-if not impossible-to generalize lear ning models to reflect future\, previously-unseen behaviors. \n\nI conclud e my talk by introducing Transcend\, a framework to identify aging classif ication models in vivo during deployment\, much before the machine learnin g model's performance starts to degrade. Our approach uses a statistical c omparison of samples seen during deployment with those used to train the m odel\, thereby building metrics for prediction quality. I show how Transce nd can be used to identify concept drift based on two separate case studie s on Android and Windows malware\, raising a red flag before the model sta rts making consistently poor decisions due to out-of-date training.\n\n\n\ n\nBio\n\n\nLorenzo Cavallaro is a Reader (Associate Professor) of Informa tion Security in the School of Mathematics and Information Security at Roy al Holloway\, University of London. In 2014\, he established and is since leading the Systems Security Research Lab (S2Lab\, http://s2lab.isg.rhul.a c.uk)\, whose underpinning research builds on program analysis and machine learning to address threats against the security of computing systems. Pr ior joining Royal Holloway\, University of London in 2012 as a Lecturer (A ssistant Professor)\, Lorenzo held Post-Doctoral (UC Santa Barbara\, Vrije Universiteit Amsterdam) and visiting scholar (Stony Brook University) pos itions\, as well as a PhD in Computer Science awarded from the University of Milan in 2008. He sits on the technical program committees of and has p ublished in top-tier and well-known venues (e.g.\, ACM CCS\, NDSS\, IEEE T IFS\, ACSAC\, RAID\, USENIX WOOT) as well as being PI in a number of resea rch projects primarily funded by the UK EPSRC\, the EU\, Royal Holloway\, and McAfee. Lorenzo teaches Malicious Software (undergraduate) and Softwar e Security (graduate)\, a passion he also nurtured through the participati on to (e.g.\, DEF CON 2008-09) and co-organization of (e.g.\, DIMVA 2011\, UCSB iCTF 2008-09\, ISG Open Day 2016) CTF-like computer security exercis es.\n LOCATION:LT2\, Computer Laboratory\, William Gates Building END:VEVENT END:VCALENDAR