Paulo Lício De GeusUniversity of Campinas | UNICAMP · Institute of Computing
Paulo Lício De Geus
Doctor
About
160
Publications
46,421
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
1,151
Citations
Citations since 2017
Introduction
Additional affiliations
August 1984 - present
August 1984 - present
Publications
Publications (160)
Many solutions to detect malware have been proposed over time, but effective and efficient malware detection still remains an open problem. In this work, I take a look at some malware detection challenges and pitfalls to contribute towards increasing system’s malware detection capabilities. I propose a new approach to tackle malware research in a p...
AntiViruses (AVs) are the main defense line against attacks for most users and much research has been done about them, especially proposing new detection procedures that work in academic prototypes. However, as most current and commercial AVs are closed-source solutions, in practice, little is known about their real internals: information such as w...
Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international m...
Resumo. Enquanto o bloqueio de exemplares de malware em nível de endpoint é essencial para o tratamento de ameaças recém-criadas, o controle de ameaças em larga escala só é possível através do bloqueio dos serviços de rede utiliza-dos por estas. Este estudo se propõe a investigar como este tipo de bloqueio ocorre na prática, visando identificar os...
This work did ample research on techniques used by advanced threats that aim to evade detection systems, elevate privileges and manipulate objects in a modern OS kernel, using the Windows 10 kernel as a test bench. Given state-of-the-art attacks in kernelspace, this work's main goal is to design a secure mechanism to protect the OS kernel against a...
Enquanto o bloqueio de exemplares de malware em nível de endpoint é essencial para o tratamento de ameaças recém-criadas, o controle de ameaças em larga escala só é possível através do bloqueio dos serviços de rede utilizados por estas. Este estudo se propõe a investigar como este tipo de bloqueio ocorre na prática, visando identificar os problemas...
The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. In this paper, we bridge t...
Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight K...
Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited...
Most software installed in current user's machines were obtained from public software repositores, which are responsible for million downloads everyday. Whereas practical, the reliance on this type of service might render users susceptible to downloading infected software to their machines. In this work, we investigated the prevalence of malicious...
Malware are persistent threats to any networked systems. Recent years increase in multi-core, distributed systems created new opportunities for malware authors to exploit such capabilities. In particular, the distributed execution of a malware in multiple cores may be used to evade currently widespread single-core-based detectors (e.g., antiviruses...
A major threat to system’s security is malware infections, which cause financial and image losses to corporate and endusers, thus motivating the development of malware detectors. In this scenario, Machine Learning (ML) has been demonstrated to be a powerful technique to develop classifiers able to distinguish malware from goodware samples. However,...
Malware are persistent threats to computer systems and analysis procedures allow developing countermeasures to them. However, as samples are spreading on growing rates, malware clustering techniques are required to keep analysis procedures scalable. Current clustering approaches use Call Graphs (CGs) to identify polymorphic samples, but they consid...
Malicious software have been evolving to look even more indubious to the targeted system. Moreover, they have been relying on obfuscation and anti-analysis techniques to avoid their behavior being discovered during their execution, thus making forensic procedures harder to be conducted on a proper manner. Reverse engineering is an useful procedure...
Today's world is supported by connected, electronic systems, thus ensuring their secure operation is essential to our daily lives. A major threat to system's security is malware infections, which cause financial and image losses to corporate and end-users, thus motivating the development of malware detectors. In this scenario, Machine Learning (ML)...
Although malware is a threat for most systems, the main line of defense against them (AntiViruses, or AVs) are performance-intensive applications that cause slow down due to the need of constant target-system monitoring. An effective alternative for accelerating AVs operation is to move them from software to hardware, thus eliminating their imposed...
Malware infections are constant threats to multiple computing platforms and binary classification leveraging machine learning (ML) techniques has been demonstrated to be a promising approach for fighting these infections. Currently, most ML solutions focus only on the Windows platform. To bridge this development gap, we present Forseti, a solution...
A engenharia reversa de binários é uma tarefa essencial no campo da segurança, tanto para a validação de aplicações legítimas quanto para a análise de códigos maliciosos. Ainda que o GDB seja uma solução poderosa para a análise de aplicações benignas, este apresenta limitações para lidar com aplicações maliciosas especialmente desenvolvidas para im...
Linux applications are finding their role on important computer systems. At the same time these systems grow, they become target for malware. Therefore, understanding the security impacts of malware infections on them is essential to allow system hardening and countermeasures development. In this project, we developed tools and systems for evaluati...
Malware overview reports are valuable information to understand threats behavior and develop proper countermeasures. Currently, most of these studies are focused on either fine-grained, individual sample analysis or coarse-grained landscapes. On the one hand, only the first allows professionals to handle specific security breaches. On the other han...
Linux applications are finding their role on important computer systems. At the same time their use grow, they become target for malware. Therefore, understanding the security impacts of malware infections on them is essential to allow system hardening and countermeasures development. In this paper, we evaluate malicious ELF binaries to present a l...
Programming is an error-prone task, which may result in application misbehavior. From the safety point of view, crashes are undesirable as they affect user experience, whereas from the security point of view, vulnerability exploitation can lead to security violations. Although fuzzing and other testing techniques help to minimize undesirable events...
Binary analysis is a key step for security procedures, such as systems inspection and validation. Modern architectures are powered by many resources and features which end up in more efficient-and also more complex-applications and codes. These resources and features include virtual machine support, BIOS and chipset code execution, isolated enclave...
Malware overview reports are valuable information to understand threats behavior and develop proper countermeasures. Currently, most of these studies are focused on either fine-grained, individual sample analysis or coarse-grained landscapes. On the one hand, only the first allows professionals to handle specific security breaches. On the other han...
Malicious software, a threat users face on a daily basis, have evolved from simple bankers based on social engineering to advanced persistent threats. Recent research and discoveries reveal that malware developers have been using a wide range of anti-analysis and evasion techniques, in-memory attacks, and system subversion, including BIOS and hyper...
Malicious software (malware) are persistent threats to modern computer systems and the development of countermeasures to them becomes harder each day due to the emergence of anti-analysis and anti-forensics techniques, able to evade software-based monitoring solutions. In this scenario, hardware-assisted solutions are effective alternatives, but st...
In order to thwart dynamic analysis and bypass protection mechanisms, malware have been using several file formats and evasive techniques. While publicly available dynamic malware analysis systems are one of the main sources of information for researchers, security analysts and incident response professionals, they are unable to cope with all types...
Malware and code-reuse attacks are the most significant threats to current systems operation. Solutions developed to countermeasure them have their weaknesses exploited by attackers through sandbox evasion and antidebug crafting. To address such weaknesses, we propose a framework that relies on the modern processors’ branch monitor feature to allow...
Malicious software (malware) has been extensively used for illegal activity and new malware variants are discovered at an alarmingly high rate. The ability to group malware variants into families with similar characteristics makes possible to create mitigation strategies that work for a whole class of programs. In this paper, we present a malware f...
Despite the numerous advantages offered by cloud computing services, security aspects constitute a critical issue when considering to adopt this kind of service. Novel intrusion detection methods have been proposed in order to mitigate attacks toward the several layers from cloud architectures. In this paper, we present an intrusion detection syste...
Malicious programs are persistent threats to computer systems, and their damages extend from financial losses to critical infrastructure attacks. Malware analysis aims to provide useful information to be used for forensic procedures and countermeasures development. To thwart that, attackers make use of anti-analysis techniques that prevent or diffi...
This paper presents the current status of our research on the robustness of CoAP server-side implementations. We discuss the importance of the CoAP protocol as an enabler of the Internet of Things (IoT) vision, and also the current state of CoAP implementations available out there. Then, we proceed to test those implementations using fuzzing techni...
A análise dinâmica é uma das principais técnicas utilizadas para caracterização de malware, identificação de suas funcionalidades e desenvolvimento de contra-medidas. Portanto, desenvolvedores de malware buscam continuamente por formas de impedir a execução de seus códigos nesses ambientes, dificultando a detecção. Além disso, avanços nos sistemas...
A injeção de código foi um dos principais ataques contra sistemas computacionais. A adoção das páginas não-executáveis com apoio de hardware (NX/XD) e prevenção de execução de dados (DEP) eliminou o problema na prática. Entretanto, os atacantes passaram a desviar o fluxo de controle legítimo, encadeando blocos de código (gadgets) via instruções de...
Debuggers são ferramentas importantes no desenvolvimento de software, pois auxiliam na inspeção de código e, com isso, sua validação. Em segurança de sistemas, debuggers podem ser usados em análise de malware e engenharia reversa, permitindo a investigação de vários caminhos de execução de aplicações. Entretanto, programas legítimos (para proteção...
Malicious programs have been the main actors in complex, sophisticated attacks against nations, governments, diplomatic agencies, private institutions and people. Knowledge about malicious program behavior forms the basis for constructing more secure information systems. In this article, we introduce MBO, a Malicious Behavior Ontology that represen...
urrent static analysis techniques for Android applications operate at the Java level - that is, they analyze either the Java source code or the Dalvik bytecode. However, Android allows developers to write code in C or C++ that is cross-compiled to multiple binary architectures. Furthermore, the Java-written components and the native code components...
Malware is one of the main attack vectors to compromise computer systems. To be ahead of security mechanisms, malware authors diversify their creations by inserting evasive functions, applying obfuscation techniques, and modularizing them into distributed components. In addition, distinct trends can be observed in different countries, according to...
Cloud Computing has introduced a variety of models of service delivery and deployment for public clouds, hybrid and private, that changed enterprise computing. Several providers provide these services, and each uses different models and pricing solutions. One of the most complex tasks for IT governance team is to calculate the total cost of an IT s...
Malicious code attacks pose a serious threat to the security of information systems, as malware evolved from innocuous conceptual
software to advanced and destructive cyber weapons. However, there is still the lack of a comprehensive and useful taxonomy
to classify malware according to their behavior, since commonly used names are obsolete and unab...
The lack of novel security controls for the cloud might arise from the fact that Cloud Computing is the convergence of many different technological areas, including Utility Computer, Computational Grid, Autonomous Computing, Virtualization and Service Oriented Architectures. These underlying areas have been independently addressed by existing gener...
A Web Service is a software system designed to support interoperable machine-to-machine interaction over a network, it also provides a standard means of interoperating between different software applications. However, Web Services have raised new challenges on information security, this technology is susceptible to XML Injection attacks, which woul...
Programas maliciosos (malware) são ameaças persistentes à segurança, evoluindo constantemente para evitar a detecção e análise dinâmica. Atualmente, nenhum dos sistemas descritos na literatura ou disponíveis publicamente suportam malware de 64 bits (PE+). A monitoração de malware em Windows NT 6.x é dificultada devido à introdução de novos mecanism...
Nuvem Computacional introduziu novas tecnologias e arquiteturas que modificaram a computação empresarial. Em particular, ao contratar um serviço na nuvem, um aspecto importante é a forma como as políticas de segurança serão aplicadas neste ambiente caracterizado pela virtualização e serviço de multilocação em grande escala. Métricas de segurança po...
The ubiquity of Internet-connected devices motivates attackers to create malicious programs (malware) to exploit users and their systems. Malware detection requires a deep understanding of their possible behaviors, one that is detailed enough to tell apart suspicious programs from benign, legitimate ones. A step to effectively address the malware p...
![of the features used by our system with the features used by Su et al. [17]](profile/Paulo-De-Geus/publication/276326067/figure/tbl2/AS:669281851293719@1536580636966/of-the-features-used-by-our-system-with-the-features-used-by-Su-et-al-17_Q320.jpg)
The constant evolution of mobile devices’ resources and features turned ordinary phones into powerful and portable computers, leading their users to perform payments, store sensitive information and even to access other accounts on remote machines. This scenario has contributed to the rapid rise of new malware samples targeting mobile platforms. Gi...
An important aspect to security management is the continuous monitoring of the environment where we want to ensure security. However, there are still very few results in the field of security monitoring in cloud computing, which happens mainly because of the environment characteristics like virtualization, multilayer and multitenancy service. Aimin...
Dispositivos móveis dependem de "lojas" para intermediar a obtenção de suas aplicações. Dispositivos Android contam com a loja oficial, Google Play, ou com lojas alternativas, as quais podem não restringir ou avaliar adequadamente as aplicações disponibilizadas. O controle menos rigoroso somado ao crescimento na quantidade de malware voltado para d...
O aumento na quantidade de dispositivos móveis vendidos levou ao surgimento de inúmeros exemplares de malware para estas plataformas. Essa situação é especialmente grave no caso do sistema Android, cujas lojas (oficial e alternativas) servem como ponto de infecção para muitos usuários. Com isso, faz-se necessário o desenvolvimento de técnicas para...
"Bankers" are special types of malware whose targets are Internet banking users, mainly to obtain their credentials. Banker infections cause losses of billions of dollars worldwide. Thus, better understanding and detection of bankers is required. Due to their interactive nature, obtaining bankers' behaviors can be a difficult task for current dynam...
Desirable requirements of cloud computing are to avoid wasting underused resources and increasing response time due to shortage of resources. We notice that recent literature in the field prioritizes the administration of resource provisioning and the allocation algorithms for an energy-efficient management of cloud computing environments. Security...
Malicious code (malware) is used to steal sensitive data, to attack corporate networks, and to deliver spam. To silently compromise systems and maintain their access, malware developers usually apply obfuscation techniques that result in a massive amount of malware variants and that can render static analysis approaches ineffective. To address the...
Malicious programs pose a major threat to Internet-connected systems, increasing the importance of studying their behavior in order to fight against them. In this paper, we propose definitions to the different types of behavior that a program can present during its execution. Based on those definitions, we define suspicious behavior as the group of...
Malicious software attacks can disrupt information systems, violating security principles of availability, confidentiality and integrity. Attackers use malware to gain control, steal data, keep access and cover traces left on the compromised systems. The dynamic analysis of malware is useful to obtain an execution trace that can be used to assess t...
A security analyst plays a key role in tackling unusual incidents, which is an extenuating task to be properly done, a single service can generate a massive amount of log data in a single day. The analysis of such data is a challenge. Among several available techniques, parallel coordinates have been widely used for visualization of high-dimensiona...
Malicious programs (malware) cause serious security issues to home users and even to highly secured enterprise systems. The main infection vector currently used by attackers is the Internet. To improve the detection rate and to develop protection mechanisms, it is very important to analyze and study these threats. To this end, several systems were...
Malicious code (malware) that spreads through the Internet-such as
viruses, worms and trojans-is a major threat to information security
nowadays and a profitable business for criminals. There are several
approaches to analyze malware by monitoring its actions while it is
running in a controlled environment, which helps to identify malicious
behavio...
Security administrators face the challenge of designing, deploying and maintaining a variety of configuration files related to security systems, especially in large-scale networks. These files have heterogeneous syntaxes and follow differing semantic concepts. Nevertheless, they are interdependent due to security services having to cooperate and th...
