Author Archives: Daniele Sgandurra

Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection

Recent statistics show that in 2015 more than 140 millions new malware samples have been found. Among these, a large portion is due to ransomware, the class of malware whose specific goal is to render the victim’s system unusable, in particular by encrypting important files, and then ask the user to pay a ransom to revert the damage. Several ransomware include sophisticated packing techniques, and are hence difficult to statically analyse. We present EldeRan, a machine learning approach for dynamically analysing and classifying ransomware. EldeRan monitors a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our tests over a dataset of 582 ransomware belonging to 11 families, and with 942 goodware applications, show that EldeRan achieves an area under the ROC curve of 0.995. Furthermore, EldeRan works without requiring that an entire ransomware family is available beforehand. These results suggest that dynamic analysis can support ransomware detection, since ransomware samples exhibit a set of characteristic features at run-time that are common across families, and that helps the early detection of new variants. We also outline some limitations of dynamic analysis for ransomware and propose possible solutions.

Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, Emil C. Lupu. In ArXiv e-prints, arXiv:1609.03020, September 2016.

Formalizing Threat Models for Virtualized Systems

30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2016)!

Authors: Daniele Sgandurra, Erisa Karafili and Emil Lupu.

Abstract: We propose a framework, called FATHoM (FormAlizing THreat Models), to define threat models for virtualized systems. For each component of a virtualized system, we specify a set of security proper- ties that defines its control responsibility, its vulnerability and protection states. Relations are used to represent how assumptions made about a component’s security state restrict the assumptions that can be made on the other components. FATHoM includes a set of rules to compute the derived security states from the assumptions and the components’ relations. A further set of relations and rules is used to define how to protect the derived vulnerable components. The resulting system is then analysed, among others, for consistency of the threat model. We have developed a tool that implements FATHoM, and have validated it with use-cases adapted from the literature.

Paper:Threat Model paper @ DBSec

Publisher’s Link

Evolution of Attacks, Threat Models and Solutions for Virtualized Systems

ACM DL Author-ize serviceEvolution of Attacks, Threat Models, and Solutions for Virtualized Systems

Daniele Sgandurra, Emil Lupu, ACM Computing Surveys (CSUR), Volume 48 Issue 3, Article No. 46, February 2016

Abstract: Virtualization technology enables Cloud providers to efficiently use their computing services and resources. Even if the benefits in terms of performance, maintenance, and cost are evident, however, virtualization has also been exploited by attackers to devise new ways to compromise a system. To address these problems, research security solutions have evolved considerably over the years to cope with new attacks and threat models. In this work, we review the protection strategies proposed in the literature and show how some of the solutions have been invalidated by new attacks, or threat models, that were previously not considered. The goal is to show the evolution of the threats, and of the related security and trust assumptions, in virtualized systems that have given rise to complex threat models and the corresponding sophistication of protection strategies to deal with such attacks. We also categorize threat models, security and trust assumptions, and attacks against a virtualized system at the different layers—in particular, hardware, virtualization, OS, and application.

Download citation (BibTeX format)

Sharing Data Through Confidential Clouds: An Architectural Perspective

Cloud and mobile are two major computing paradigms that are rapidly converging. However, these models still lack a way to manage the dissemination and control of personal and business-related data. To this end, we propose a framework to control the sharing, dissemination and usage of data based on mutually agreed Data Sharing Agreements (DSAs). These agreements are enforced uniformly, and end-to-end, both on Cloud and mobile platforms, and may reflect legal, contractual or user-defined preferences. We introduce an abstraction layer that makes available the enforcement functionality across different types of nodes whilst hiding the distribution of components and platform specifics. We also discuss a set of different types of nodes that may run such a layer.

 Daniele Sgandurra, Francesco Di Cerbo, Slim Trabelsi, Fabio Martinelli, and Emil Lupu: Sharing Data Through Confidential Clouds: An Architectural PerspectiveIn proceedings of the 1st International Workshop on TEchnical and LEgal aspects of data pRivacy and SEcurity, 2015 IEEE/ACM, pp. 58-61, DOI: 10.1109/TELERISE.2015.19. Bibtex.

Daniele Sgandurra

Daniele joined the group as a Research Associate after having completed a PhD at University of Pisa, and having worked at IIT-CNR as a PostDoc Researcher. Daniele’s main research fields include virtualization and cloud security, threat modeling, mobile security, malware analysis and  critical infrastructures and risk management.

His personal homepage can be found here. Daniele is now a Lecturer in the Security Group at Royal Holloway, University of London